Hi Folks -- I'm wondering where the results of the...
# kolidee
Erich Stoekl
03/27/2020, 10:09 PMHi Folks -- I'm wondering where the results of the ad-hoc queries from fleet end up.
For example, I have fleet machines A and B in a cluster, and 100 osquery agents are connected to this cluster. Osquery agents are configured to use the load balancer endpoint which the fleet machines sit behind. I'll assume 50% of the agents will be connected to A, and 50% connected to B. Do both fleet boxes A and B have the same logs of data from the queries run against the osquery agents? Or would each machine have a different set of logs?
👀 1
🍿 1
j
Just A Larry
03/27/2020, 10:18 PMCertainly not a definitive answer as I'm just a novice, but unless you configured fleet to forward logs to AWS, Pub/Sub, etc I would expect them to reside on the filesystem in the /tmp directory. Most likely appended to the file /tmp/osquery_result. I would also only expect to see the results from clients that connected to that cluster node ...but I could be completely mistaken about all of this.
Looking forward to seeing others responses.
👍 1
e
Erich Stoekl
03/27/2020, 10:45 PMThank you... this is what I assume as well. Maybe @zwass can weigh in? 🙂
z
zwass
03/27/2020, 10:59 PM
ad-hoc ("live") queries vs. scheduled queries are handled totally differently. Take a look at https://github.com/kolide/fleet/blob/master/docs/infrastructure/faq.md#where-are-my-query-results.
zwass
03/27/2020, 11:01 PM
For the live query client (fleetctl or UI) it is transparent that there are multiple Fleet servers. All the results are pushed through Redis so that the client sees every result.
zwass
03/27/2020, 11:02 PM
For scheduled queries, the logs go to the output plugin on the server that receives them. This means (if you are using the filesystem logger) that each server's filesystem holds a subset of the logs.
zwass
03/27/2020, 11:02 PM
Does this answer the question?
e
Erich Stoekl
03/27/2020, 11:06 PMMakes sense... thanks!