Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
p
peanut butter
01/17/2023, 9:23 PMis there any timeout to fleet when I run a query that takes a long time to return reaults?
k
Kathy Satterlee
01/18/2023, 4:48 PMThis is controlled by
FLEET_LIVE_QUERY_REST_PERIODThe default timeout is 25 seconds
p
peanut butter
01/20/2023, 7:03 PMhow can I change this?
k
Kathy Satterlee
01/20/2023, 7:11 PMYou can set a different value for that setting in your Fleet configuration.
The fixed time period is configurable via environment variable on the Fleet server (eg.). If setting a higher value, be sure that you do not exceed your load balancer timeout.FLEET_LIVE_QUERY_REST_PERIOD=90s
> WARNING: This API endpoint collects responses in-memory (RAM) on the Fleet compute instance handling this request, which can overflow if the result set is large enough. This has the potential to crash the process and/or cause an autoscaling event in your cloud provider, depending on how Fleet is deployed.https://fleetdm.com/docs/using-fleet/rest-api#run-live-query
If you're going to increase that value, it's best to do it in small increments and test as you go to see how your environment reacts.
p
peanut butter
01/21/2023, 12:53 PMok thanks
can you explain me what do you mean by that?
exceed your load balancer timeout.
k
Kathy Satterlee
01/23/2023, 3:19 PMIf you're using a load balancer, you may have a limit set on how long a connection is allowed to stay open. Make sure that the rest period is shorter than that timeout.
p
peanut butter
01/23/2023, 7:11 PMhttps://osquery.slack.com/archives/C01DXJL16D8/p1674241889675149?thread_ts=1673990590.837659&cid=C01DXJL16D8
where do I change the fleet configuration?
k
Kathy Satterlee
01/23/2023, 7:28 PMYou can set that using whichever method you're currently using to set. your Fleet configuration. As an environmental variable:
FLEET_LIVE_QUERY_REST_PERIOD=90s/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--logging_json
--live_query_rest_period=90s.yamlecho '
mysql:
address: 127.0.0.1:3306
database: fleet
username: root
password: toor
redis:
address: 127.0.0.1:6379
server:
cert: /tmp/server.cert
key: /tmp/server.key
logging:
json: true
live_query_rest_period: 90s
' > /tmp/fleet.yml
fleet serve --config /tmp/fleet.ymlIf you don't mind sharing, what's inspiring you to change the rest period?
p
peanut butter
01/24/2023, 9:35 PMyes, because I created new table than scans all the process and every scan takes like 2 min
https://osquery.slack.com/archives/C01DXJL16D8/p1674502109572499?thread_ts=1673990590.837659&cid=C01DXJL16D8
but why when I right fleet command I don't see that environment variable(FLEET_LIVE_QUERY_REST_PERIOD)
z
zwass
01/27/2023, 6:11 PMI'm sorry, but I don't understand your question. Can you please try to explain more?
p
peanut butter
01/30/2023, 8:27 PM@zwass when I run fleet command it describe many fleet environment variables that I can give for example
FLEET_MYSQL_ADDRESSk
Kathy Satterlee
01/30/2023, 9:58 PMThanks for bringing that up! it appears that
FLEET_LIVE_QUERY_REST_PERIODp
peanut butter
01/31/2023, 8:36 PM@Kathy Satterlee
thanks for the ticket!
@Kathy Satterlee
"For now, you can set it using the environment"
what do you mean by that?
k
Kathy Satterlee
01/31/2023, 8:43 PMYou can set the rest period as an environmental variable where Fleet is run. The exact method for that will depend on how you're deploying Fleet.
p
peanut butter
02/01/2023, 7:43 PM@Kathy Satterlee
I deployed it by k8s