• l

    Lucas Santos

    1 month ago
    Hi there! I have a question about running differential queries in osquery and fleetdm. For example, when this type of query is run on a machine, where are the results saved for comparison? On the Osquery's or Fleetdm's side? I'm having a problem with a large amount of network consumption traffic (outbound and inbound) from fleetdm. Since I have a considerable amount of "Differential" queries, I think that the fleetdm could send the information back to the clients to get the differential value, and the clients send that information back. I found that my Fleetdm server is receiving 100GB of traffic data from agents, but only 20GB is logged in results.log and less in status.log. Thanks in advance,
  • d

    D4veB3st

    1 month ago
    is that a daily or monthly ingestion?
  • l

    Lucas Santos

    1 month ago
    Daily ingestion
  • Kathy Satterlee

    Kathy Satterlee

    1 month ago
    How many hosts do you have enrolled and roughly how many queries are you running on a daily basis?
  • l

    Lucas Santos

    1 month ago
    There were 17 queries, every query had diffent times of execution, most executed every 5 min In total there is 9500 hosts
  • zwass

    zwass

    1 month ago
    Differential queries are "diffed" on the local machine. Osquery stores the results in RocksDB and generates a diff before sending the logs.