Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
w
wennan.he
01/14/2023, 2:29 AMHi Fleet team, how does fleet push live query to agent side to run it? and it looks like when i run a live query in the fleet portal and browser would build up a websocket and upload the live query result to fleet? but i am confused that the result should come from agent side, right? how does agent push the result back to server side?
it looks like UI creates web socket to download the result not upload them, but how does fleet push live query to agent side and run it
k
Kathy Satterlee
01/14/2023, 2:50 AMIt actually doesn’t :) The osquery
distributedreadwritew
wennan.he
01/14/2023, 2:58 AMbut what i said about the web socket part is that correct?
k
Kathy Satterlee
01/14/2023, 3:00 AMYes, The UI communicates with the server using websockets in order to keep the connection open while waiting for responses from hosts.
w
wennan.he
01/14/2023, 3:01 AMand i read the code of distributed write api handler, and i didn't find the code to push back the result of live query, does it include as part of label results? or additional result?
k
Kathy Satterlee
01/14/2023, 3:01 AMThat’s handled on the
osqueryAnd comes in to Fleet through the distributed write endpoint.
w
wennan.he
01/14/2023, 3:07 AMi still cannot find it, am i checking the correct func SubmitDistributedQueryResults?
I see
detailUpdated := false
additionalResults := make(fleet.OsqueryDistributedQueryResults)
additionalUpdated := false
labelResults := map[uint]*bool{}
policyResults := map[uint]*bool{}is this one ingestDistributedQuery?
k
Kathy Satterlee
01/14/2023, 3:11 AMAh! Are you looking now for how it gets from the Fleet server to the UI once the host has sent back the response?
w
wennan.he
01/14/2023, 3:12 AMno i am looking for the logic of how does agent push back the result of live query.
as you say, agent pushes the result of live query back to fleet by distributed write api, and it seems ingestDistributedQuery is the correct func to handle that, right?
k
Kathy Satterlee
01/14/2023, 3:22 AMI’m not as familiar with the
osqueryw
wennan.he
01/14/2023, 3:23 AMty for response, but i am actually looking for the code of fleet handling the distributed_write not osquery.
one more question, when the distributed write save the live query result by publish it though redis, so which means, if i close the browser or the websocket is not open for some reason before the result is published successfully, which means the result will be lost, right?
it looks like that is, i found the logic sub the channel of redis inside of runLiveQueryEndpoint.