Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/docs/Contributing/architecture/orchestration/query-packs.md

2.9 KiB
Raw Blame History

Query Packs Architecture

This document provides an overview of Fleet's Query Packs architecture.

Introduction

Query packs in Fleet allow users to group related queries together for easier management and distribution. This document provides insights into the design decisions, system components, and interactions specific to the Query Packs functionality.

Architecture Overview

The Query Packs architecture enables the organization, configuration, and distribution of groups of queries across a fleet of devices. It leverages osquery's pack capabilities to execute multiple queries on devices and return results to the Fleet server.

Key Components

  • Pack Definition: The definition of a pack, including the queries it contains and their schedules.
  • Pack Distribution: The mechanism for distributing packs to devices.
  • Query Execution: The process of executing queries within a pack.
  • Result Collection: The process of collecting and processing query results.

Architecture Diagram

[Placeholder for Query Packs Architecture Diagram]

Pack Execution Flow

1 - Fleet User Creates a Query Pack

Fleet User -> API Client (Frontend or Fleetctl) -> Server -> DB
  1. Fleet user creates a query pack for a team or globally through the UI or API.
  2. Server stores the pack configuration in the database.

2 - Agent Gets Config File (with the Query Pack)

osquery agent -> Server -> DB
  1. osquery agent requests the configuration file from the server.
  2. Server merges team and global configurations, including packs.
  3. Server returns the merged configuration to the agent.

3 - Agent Executes Queries and Returns Results

osquery agent -> Server -> Optional External Log
  1. osquery agent runs the queries in the pack according to their schedules.
  2. osquery agent sends the results to the server.
  3. Server optionally forwards the results to an external logging system.

Pack Configuration

Query packs have several configuration options:

  • Name: The name of the pack.
  • Description: A description of the pack's purpose.
  • Queries: The queries included in the pack.
  • Targets: The devices or teams targeted by the pack.
  • Schedules: The schedules for each query in the pack.

Performance Considerations

Query packs can impact device performance, especially for packs with complex queries or queries that run frequently. The following considerations should be taken into account:

  • Query Complexity: Complex queries can consume significant CPU resources on devices.
  • Query Frequency: Queries that run frequently can impact device performance.
  • Pack Size: Packs with many queries can impact device performance.

Related Resources