Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey team - new to fleet :wave: we are seeing data sent from osqueryd process to fleet server even though no packs have been scheduled. we turned off policies, vuln etc. what would be the best way to look at what / why data is being transferred? we are on fleet 4.22.1

Hey <@U01AX9Y0W6P>! Host details also update periodically. What kind of traffic are you seeing? 

can we adjust those settings? Im just running a `nettop -p osqueryd` command and monitoring the bytes out which is in Mib.

There are a few different intervals that affect how often hosts check in:

<https://fleetdm.com/docs/deploying/configuration#osquery-detail-update-interval|https://fleetdm.com/docs/deploying/configuration#osquery-detail-update-interval>

That’s how often Fleet queues up detail queries

Then there’s the label update interval:

<https://fleetdm.com/docs/deploying/configuration#osquery-label-update-interval|https://fleetdm.com/docs/deploying/configuration#osquery-label-update-interval>

The largest traffic you’ll see is for the distributed interval in osquery… that’s how often hosts check in for new queries (and likely the majority of the traffic you’re seeing):

<https://fleetdm.com/docs/using-fleet/configuration-files#agent-options-config|https://fleetdm.com/docs/using-fleet/configuration-files#agent-options-config>