I’m going to try the tip here to add the

SELECT * FROM time

query to a single pack and see if that works. https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#troubleshooting

So, result of my test there, getting the same number of hosts returning data here, 823, and if I run an adhoc query of

SELECT * FROM osquery_schedule

I get the same result. What could cause a query pack to fail to be scheduled by osquery on certain nodes?

CC @zwass and @Macear (hope you don’t mind, but I saw you added a ‘thumbs up’ to my original message 😄)

I did the targeting in the Pack itself though, not the Query as that seems to be only for running it on demand.

Query is this:

and this is the Pack:

In my case restart of osqueryd helps, but it’s very uncomfortable. I tested on centos6 (osquery installed).

So you would create the query pack, then restart the daemon, and from then on it will work fine with no need for further restarts?

without breaking the logging back to fleet I mean

then it will log requests and responses to stderr

ok great

I will give this a try tomorrow 👍

Ok so an update from my experimentation on this issue - with

--verbose

and

--tls_dump

in place I don’t see any particular errors, but nor do I see anything that mentions scheduled queries. I can see the distributed queries used for our labels coming in on the affected host, but it doesn’t appear to be receiving any packs to run on a schedule. I tried upgrading it from

4.3.0

to

4.4.0

and fully restarting it, but no joy sadly. I’m running Fleet version

2.6.0

. Any other suggestions will be greatly appreciated :)

I can add it explicitly if that’ll help?

Just verified, the shard parameter is not set.

Ideally, your queries should be in output included. Otherwise I advise you to create new issue

I’ll let it run overnight with the additional flag above and come back tomorrow. Thanks for the help so far!