Hi all. Does anyone know if clients will keep running their packs on whatever schedule they last got from Fleet, or if they only execute queries when they get a valid response from Fleet when they check in? Eventually we'll have an externally accessible Fleet endpoint for our corp laptops, but currently we are relying on VPN. I'm assuming that if a client can't check in, it's not going to run any queries because a failure to check-in to Fleet would also indicate that the client wouldn't be able to post the results to Fleet. Is this correct?

The client will continue running the same config and buffering the results until it can get them successfully to Fleet.

OK, my assumption is wrong then! 🙂

They will buffer logs until they reach

--buffered_log_max

number of logs then start dropping the oldest.

Awesome

The default is 1million according to https://osquery.readthedocs.io/en/stable/installation/cli-flags/. And it is the number of logs, not bytes

Great, thanks. I was just going to ask if the default was the number listed in the docs. I wasn't sure if it was safe to assume that having a value present (in the docs) meant it was default.

The tls logger buffers logs in RocksDB (the same store used for osquery evented tables) and then sends the logs on interval (

logger_tls_period

). They are only cleared when they are sent successfully or overflow the max.

ok, great. so it is buffered to osquery.db

It will be # of log lines (json objects)

awesome, thanks