Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Just a thing I ran in to regarding: <https://fleetdm.com/docs/deploying/faq#what-api-endpoints-should-i-expose-to-the-public-internet>

It doesn't mention `/api/osquery/log` which is where the scheduled queries/packs etc return to by default. Not sure why its not `/api/v1/osquery/log` or something

Hey <@U04P4NW3TNV>! It's generally recommended to use the `/api/v1/` formatting for endpoints. There are some changes in the works for the API that are slowly being implemented, so some endpoints will work without the version, but all endpoints will work with the version specified. Both `/api/v1/osquery/log` and `/api/osquery/log` will work. I see that we've got some references to `/api/osquery/log` in the configuration documentation, I'll get that updated to use the standard endpoint.

Ah ok they both work! I'll change the agent config then. Thanks

I dont remember changing this file so i suspect it's fleet's out of the box agent config

I'm going to run that part up the flagpole :slightly_smiling_face:

Just an FYI, this has spurred some internal discussion. We'll be moving everything in the docs and the default flag files for Orbit to use the `/api/osquery/` endpoints and updating the docs to reflect that. The versioned endpoint will still work and I'll make sure that's called out in the docs as well for backward compatibility :)

Sweet, thanks for the update - will keep it in mind going forward