Thanks @packetzero - W.r.t. 1: The same token is used on all clients, so we have over 300 other clients successfully using the token, so this is ruled out. The github issues would make sense if I was getting some results in (albeit late), but the two machines I mention above, we literally aren’t seeing anything… I’m wondering if this is due to another issue you may have contributed on:
04/17/2019, 3:35 PM
Look at the log files, are there a ton of them with timestamps close together? This will indicate watchdog killing agent frequently due to watchdog settings and a demanding schedule.
04/17/2019, 5:39 PM
We pull osquery logs to kinesis with fluentd. May be an option if you don't find resolution.