I’m having some trouble trying to determine the best path forward for client collection. We are trying to find the right settings to allow us to: • Update end user computers with new ad hoc queries and new scheduled query packs • Reduce network overhead for remote clients connecting to our TLS logging endpoint (Kolide) • Allow for on-the-fly configuration changes such as to auto_table_construction Can I get a little help understanding when things like pack_refresh_interval apply (and are ad hoc queries considered a “pack”?), distributed_interval, and config_refresh apply to the above goals?

What you have called ad-hoc queries are distributed queries in osquery terms. Packs and config settings are the query packs and osqueryd configuration respectively

Excellent, that’s very helpful!