Hi guys, I try to figure out why on one of our workstations (windows 10, osquery 3.3.1) running of a scheduled query has stopped. The query is a part of kolide pack, it was scheduled multiple weeks ago and before yesterday was executed on that workstation as expected, and it's still running on other workstations as expected. Another query from the same pack is executed on the problematic workstation without any issues, as well as queries from a list of other packs. The same query I can run from kolide interface on that workstation and see that it returns a result. I would be thankful if you could share any pieces of advice which may help troubleshoot the issue.

if i was debugging this, i would look at the config that osquery was getting from kolide on that host, ensure the query is in the pack. then, if it was, i would validate that the query actually had new results to return on that host.

Thanks for the hint. Could you please also advice how I can check that at the osquery config. I see nothing related to my packs, any of them, in osquery.conf, neither in osquery\packs\ folder.

if you add

--tls_dump

to your osquery invocation, you can see everything that goes on the wire

thanks