Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi Fleet team, how does fleet push live query to agent side to run it? and it looks like when i run a live query in the fleet portal and browser would build up a websocket and upload the live query result to fleet? but i am confused that the result should come from agent side, right? how does agent push the result back to server side?

it looks like UI creates web socket to download the result not upload them, but how does fleet push live query to agent side and run it

It actually doesn’t :) The osquery `distributed` plugin sends `read` requests periodically to check for pending queries, then sends a `write` request with the results. All communication with Fleet is initiated by the host. 

<https://osquery.readthedocs.io/en/stable/deployment/remote/#distributed-queries|https://osquery.readthedocs.io/en/stable/deployment/remote/#distributed-queries>

but what i said about the web socket part is that correct?

Yes, The UI communicates with the server using websockets in order to keep the connection open while waiting for responses from hosts. 

and i read the code of distributed write api handler, and i didn't find the code to push back the result of live query, does it include as part of label results? or additional result?

And comes in to Fleet through the distributed write endpoint. 

i still cannot find it, am i checking the correct func SubmitDistributedQueryResults?

I see
```detailUpdated := false
additionalResults := make(fleet.OsqueryDistributedQueryResults)
additionalUpdated := false
labelResults := map[uint]*bool{}
policyResults := map[uint]*bool{}```
none for livequery

Ah! Are you looking now for how it gets from the Fleet server to the UI once the host has sent back the response? 

no i am looking for the logic of how does agent push back the result of live query.

as you say, agent pushes the result of live query back to fleet by distributed write api, and it seems ingestDistributedQuery is the correct func to handle that, right?


I’m not as familiar with the `osquery` code, but it looks like that happens here:

<https://github.com/osquery/osquery/blob/78a8e3945e13d65d9e96e7f15074e22925aa0cbc/plugins/distributed/tls_distributed.cpp#L74|https://github.com/osquery/osquery/blob/78a8e3945e13d65d9e96e7f15074e22925aa0cbc/plugins/distributed/tls_distributed.cpp#L74>

I will take some time on Monday to take a closer look! 

ty for response, but i am actually looking for the code of fleet handling the distributed_write not osquery.

one more question, when the distributed write save the live query result by publish it though redis, so which means, if i close the browser or the websocket is not open for some reason before the result is published successfully, which means the result will be lost, right?

it looks like that is, i found the logic sub the channel of redis inside of runLiveQueryEndpoint.