SAM Background Policy (with osqueryd), what is it doing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hello,
can someone tell me what the SAM Background Policy (with osqueryd) is really doing?
as far as i understand it only writes the marker.json file, so why is it scheduled every 5 minutes?
Would it be enough to schedule it once a day if the snapshot log is large enough?
Greetings
- Labels:
-
o
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hi @Tone1
The SAM Background Policy (with osqueryd) is basically a heartbeat.
- It creates the marker.json and checks in with ServiceNow so the platform knows the agent is alive.
- That’s why it runs every 5 minutes — it’s about liveness, not heavy data collection.
- You should not reduce it to once a day, even if snapshot logs are large, because then ServiceNow would think the agent is stale/offline for 24h.
Keep the background policy at 5 minutes, but you can tune the snapshot policies (daily, weekly, etc.) to control log size.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Are you sure about this?
The ACC has a 60 seconds keepalive anyway where it communicates with the MID, this has nothing to do with the SAM Background Policy. As far as i can see the sam background policy does not even generate any ECC queue at all and does not communicate with the MID.
