https://github.com/osquery/osquery logo
Join Slack
Powered by
is there any timeout to fleet when I run a query t...
# fleet
p
is there any timeout to fleet when I run a query that takes a long time to return reaults?
k
This is controlled by 
FLEET_LIVE_QUERY_REST_PERIOD
. Bear with me while I get some clarification from the team on the ins and outs of that.
The default timeout is 25 seconds
p
how can I change this?
k
You can set a different value for that setting in your Fleet configuration.
The fixed time period is configurable via environment variable on the Fleet server (eg. 
FLEET_LIVE_QUERY_REST_PERIOD=90s
). If setting a higher value, be sure that you do not exceed your load balancer timeout.
> WARNING: This API endpoint collects responses in-memory (RAM) on the Fleet compute instance handling this request, which can overflow if the result set is large enough. This has the potential to crash the process and/or cause an autoscaling event in your cloud provider, depending on how Fleet is deployed.
https://fleetdm.com/docs/using-fleet/rest-api#run-live-query
If you're going to increase that value, it's best to do it in small increments and test as you go to see how your environment reacts.
p
ok thanks
can you explain me what do you mean by that?
exceed your load balancer timeout.
k
If you're using a load balancer, you may have a limit set on how long a connection is allowed to stay open. Make sure that the rest period is shorter than that timeout.
p
k
You can set that using whichever method you're currently using to set. your Fleet configuration. As an environmental variable:
Copy code
FLEET_LIVE_QUERY_REST_PERIOD=90s
As a command line flag:
Copy code
/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--logging_json
--live_query_rest_period=90s
or in a 
.yaml
config file:
Copy code
echo '

mysql:
  address: 127.0.0.1:3306
  database: fleet
  username: root
  password: toor
redis:
  address: 127.0.0.1:6379
server:
  cert: /tmp/server.cert
  key: /tmp/server.key
logging:
  json: true
live_query_rest_period: 90s
' > /tmp/fleet.yml


fleet serve --config /tmp/fleet.yml
If you don't mind sharing, what's inspiring you to change the rest period?
p
yes, because I created new table than scans all the process and every scan takes like 2 min
https://osquery.slack.com/archives/C01DXJL16D8/p1674502109572499?thread_ts=1673990590.837659&cid=C01DXJL16D8 but why when I right fleet command I don't see that environment variable(FLEET_LIVE_QUERY_REST_PERIOD)
z
I'm sorry, but I don't understand your question. Can you please try to explain more?
p
@zwass when I run fleet command it describe many fleet environment variables that I can give for example
Copy code
FLEET_MYSQL_ADDRESS
but I don't see the varrible FLEET_LIVE_QUERY_REST_PERIOD=90s
k
Thanks for bringing that up! it appears that 
FLEET_LIVE_QUERY_REST_PERIOD
is a bit of a special case and can currently only be set as an environmental variable. So sorry about the confusion! I'm submitting a ticket now to get that more in line with the other configuration options. For now, you can set it using the environment.
p
@Kathy Satterlee thanks for the ticket!
@Kathy Satterlee "For now, you can set it using the environment" what do you mean by that?
k
You can set the rest period as an environmental variable where Fleet is run. The exact method for that will depend on how you're deploying Fleet.
p
@Kathy Satterlee I deployed it by k8s
Open in Slack
PreviousNext
Powered by