Does anyone know of the capacity requirements of the Mysql DB? Particularly when we get to the 10s of thousands of osquery agents connected to the fleet cluster. How many reads/writes per second will the Mysql db need to perform?

It’s pretty low for my environments, but they’re for less than one hundred hosts. Typically 0rps and 2-3wps per host.

Awesome, thank you!! 0rps seems like, the DB is only used to register new hosts? Some amount of read activity needs to happen though?

Even for large number of hosts, it's hard to say. It will heavily depend on where you send results, if you're doing distributed queries, checkin frequency, etc. There's no one-size-fits-all answer

Thank @nyanshak. I thought only redis was used for distributed queries.

I don't know exactly how the distributed querying works, but I've seen that it basically sets fleet on fire, including the database. Redis is pretty chill about the whole affair though 🤷

interesting. Scheduled queries don't set fleet on fire? Why would distributed (I'm assuming distributed query = ad-hoc query) be any different?

So this also (I think) depends on your log output settings. In our env, we log to Kinesis, so scheduled query results don't hit fleet at all.

So you osquery agents log directly to kinesis, which reduces the load on the fleet servers?

MySQL is used to determine which queries need to run on a host. Redis is used to stream the results from horizontally scaled Fleet servers to the server communicating with the API/UI client. I'm in the middle of a big refactor that pushes a lot more work onto Redis and will be getting that out ASAP.

@zwass awesome, thank you! Any insight into how to separate Mysql nodes into read/write endpoints? Or is this something that should not be necessary?

I would expect this to no longer be necessary, but let's talk about it if it still is after the refactor.