Hello I am currently trying to get a query pack to run every

Question

Hello I am currently trying to get a query pack to run every two minutes on my target machine When I run a single live query individually it works fine the data is seen And the individual query I ran is seen on the target machine the node key is okay the request is fine When I am trying to schedule a pack query the query field itself is seen as empty by the target machine I tried to troubleshoot with <https github com kolide fleet blob master docs infrastructure faq md troubleshooting> and noticed that when I live query `SELECT FROM osquery schedule`I dont get anything in return I tried to then find this however it seems to be empty on my machine I am unsure as to how to procede

zwass · Answer

Can you run your osquery client with ` verbose tls dump` and see what osquery is receiving My guess would be you are not targeting the pack query correctly

Scarlette · Answer

Of coarse Here it is below

Scarlette · Answer

So we have our osquery nodes set up to get the configs over tls But we have not been able to locate where to edit the API endpoint that pushes these config files out to the nodes Thus we haven t edited them to run any scheduled queries could this be our issue if so is there any guidance you can provide on how we should proceed Thanks Scar

Scarlette · Answer

we now believe that the issue is when the config file is grabbed with tls we get an error of error reading config cannot parse JSON Invalid value Offset 0 Since it cannot grab the config I believe it is not getting notified about the scheduled pack queries

seph · Answer

Sounds like the config isn t parsing yes I don t have context to help with what is happening

zwass · Answer

Can you get the logs from when osquery requests the config You re showing distributed read which is the live query functionality This is totally separate from scheduled queries