Hello all, can anyone please suggest if there is a way to get more debug logging from osquery beside

--verbose

? We use osquery with fleetdm and face this file carving issue. After creating file carving live query to carve several files, we obtain the carve ids and check the carve endpoint for results. Sometimes, several of the carve ids don't appear on the carve endpoint until a next carve query is requested. The verbose log on the osquery side just shows a bunch of

begin

and

block

calls, different number for 'failed' and 'successful' attempt.

Hey Tomas, can you please provide more details on how we could reproduce this over in #fleet? We would like to fix this and/or advise you how to successfully use the file carving feature.

Thanks. I'm trying to reproduce myself on fresh systems. Will get back to you.

So it works if you run the query via

fleetctl

, but doesn't work if you run the query via API?

In the end I was able to reproduce with

fleetctl

. I ran 40 live queries, one

fleetctl query

command each 5 seconds. The carving query is the ninth and it contains 34 files to carve. 20 of the carves were stuck in the

SCHEDULED

state. Once I ran a simple carving query (one file) to 3 hosts with the stuck queries, all scheduled + the new 3 returned.