What is the local backlog limit?

1GB (1024MB).

What happens when the backlog limit is reached?

Oldest data is removed until we’re below the local backlog limit.

When backlog exists, what order is the data uploaded?

The data is uploaded in order, from oldest to newest.

What is the maximum size of a payload sent to Red Canary?

The total size of 5000 discrete events.

What is the maximum time until a telemetry payload upload attempt occurs?

Five minutes (endpoint telemetry is recorded continuously).

What is the maximum time until a health payload upload attempt occurs?

Five minutes (health is recorded every 30s).

What determines when a payload upload attempt occurs?

Whichever occurs first, the maximum time duration of five minutes, or the maximum size of 5000 discrete events buffered in memory. This is not currently configurable.

If network connectivity does not exist, what is the retry logic algorithm?

The first time a payload fails to offload, the agent enters offline mode. For each payload file ready to offload:

The agent will first check if there’s internet connectivity.

If there is internet connectivity, it will re-enter online mode and begin uploading again.
If there is no internet connectivity, the agent will return prematurely from any attempt to offload.

The time between offload attempts is 100ms.

Retry is indefinite but only one payload attempt per 100ms interval. If you fail once with "offline mode" then it bails on attempting any other payloads.

What compression is used for local storage?

GZIP.

What compression is used when sending data to Red Canary?