Is it feasible to use prometheus to build osquery performanc

Question

Is it feasible to use prometheus to build osquery performance dashboards or is this just specificaly designed for resource metrics

zwass · Answer

Hmm that s an interesting one Not supported currently I suppose we could have Fleet ingest data from `osquery schedule` and output it in a format compatible with prometheus

Zach Zeid · Answer

Yeah Currently I m just creating a dashboard in splunk that kinda works It s not super great but it s something Ideally I d like to be able to pull those metrics from fleet itself if fleet is going to be where I manage configs packs and hosts

Zach Zeid · Answer

I m struggling to think how d fleet would be able to ingest the data from `osquery schedule`

zwass · Answer

gt I m struggling to think how d fleet would be able to ingest the data from `osquery schedule` Can you expand on this

zwass · Answer

gt Ideally I d like to be able to pull those metrics from fleet itself if fleet is going to be where I manage configs packs and hosts This makes a lot of sense for Fleet I m definitely interested in hashing out how the info would best be exposed to users

Zach Zeid · Answer

gt I m struggling to think how d fleet would be able to ingest the data from `osquery schedule` gt Can you expand on this I m just not 100 on implementation given that results can be sent to other systems that are not stdout how would fleet be able to get the results of those queries in a way that s exposable as a metric

Zach Zeid · Answer

Or would `osquery schedule` be implicitly added to new rulepacks and fleet could access it another way

zwass · Answer

Ah because osquery can be configured to log to other plugins besides TLS Right now we get around that by running queries that Fleet needs to see the results to as live queries which always go over TLS It s possible we may add features to Fleet at some point that would require scheduled query logs to go through the Fleet server as well Potentially this could come with updates to osquery that would allow different packs to go to different logger plugins

zwass · Answer

As for `osquery schedule` there wouldn t be much of a benefit to the differential results provided by scheduled queries so I think we could pull the data as live queries without much concern

Zach Zeid · Answer

I understand live queries are great but scheduled queries are where it s at We rely heavily on scheduled queries to poll endpoints that could benefit from gaining visibility into performance of those queries as they run

zwass · Answer

To be clear Fleet could live query the `osquery schedule` table and would get the data for the schedule queries It would be an implementation detail really

Zach Zeid · Answer

oh this was something I wasn t aware of I was under the impression that I needed to include `osquery schedule` in the scheduled query packs to get the perf data of those scheduled queries

zwass · Answer

Yeah for sure Definitely try live querying that table to get insight into your scheduled queries