Hi, if I'd like to run a fleet instance as only a web gui , and another for the osquery clients to talk to. How would I handle the scheduled query and the output to the designated log directory . As both instances will run the scheduled query, write output (thus duplicate every query output), and that output I'm picking up and forwarding to an ES instance , Seems silly to have it 2x 😉 .

hey, I'll need to know more details about your infra to properly answer that. what I can tell you, we have seen two approaches for the kind of separation you want to do: 1. Use a load balancer to direct traffic to each fleet instance: https://fleetdm.com/docs/deploying/reference-architectures 2. https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui/ lmk if I didn't understand your question!

Marc the hosts connected to fleet periodically check in and "pull" down their schedules, and thus will only be run once.

Thank you for your replies , I'll do a deeper dive soon !