abraham linkolan
10/31/2021, 1:13 PMfritz
11/15/2021, 5:03 PMSlackbot
12/01/2021, 9:08 AMmaxwhite
12/13/2021, 6:39 PMAleksandr Maus
03/14/2022, 2:56 PMdefensivedepth
03/22/2022, 1:09 AMBuffered logs limit exceeded. Purging excess. purge_count = 400
The following message is from osqueryi:
4924 events.cpp:312] Expiring events for subscriber: windows_events (overflowed limit 50000)
Based on my initial investigation, I believe they indicate the same issue - the evented table has filled its buffer and logs are being expired.
Is this accurate?defensivedepth
03/22/2022, 2:14 AMcaller=log.go:124 ts=2022-03-22T02:13:17.332883Z caller=teelogger.go:25 level=info caller=extension.go:549 msg="dropped log" size=3623838 limit=3145728 loghead="{\"snapshot\":[{\"computer_name\":\"DESKTOP-3T6HBKR\",\"data\":\"{\\\"EventData\\\":{\\\"ProcessId\\\":\\\"0\\\",\\\"Applic"
seph
MaxBufferedLogs
, and when you have more it starts dropping them. That’s probably set to 50k by default. Whether this means you have a device that is sending a very high number of logs, or one that isn’t successfully communicating I don’t know.seph
MaxBytesPerBatch
than launcher won’t send it and will, instead, drop the logfile. It includes the beginning of the log file, to try to help debug it.seph
defensivedepth
03/22/2022, 12:53 PMdefensivedepth
03/22/2022, 12:53 PMlauncher.db
serve?defensivedepth
03/22/2022, 12:54 PMseph
seph
defensivedepth
03/22/2022, 3:38 PMseph
defensivedepth
03/22/2022, 9:45 PMdefensivedepth
03/22/2022, 9:46 PM{
"caller": "publish_logs.go:179",
"err": null,
"errcode": "",
"level": "debug",
"logType": "string",
"log_count": 2445,
"message": "",
"method": "PublishLogs",
"reauth": false,
"took": "1.7843631s",
"ts": "2022-03-22T21:44:40.9170003Z",
"uuid": "2dbf373a-f5dd-4586-84bd-ba81d1a761ce"
}
seph
terracatta
n8felton
05/09/2022, 3:11 PMuser
05/11/2022, 2:43 PMuser
05/13/2022, 3:43 PMuser
05/31/2022, 4:03 PMdefensivedepth
06/02/2022, 7:55 PMsegementation fault
{
"binary": "/usr/local/launcher/bin/osqueryd-updates/1652735666/osqueryd",
"binaryName": "osqueryd",
"caller": "findnew.go:207",
"fullBinaryPath": "/usr/local/launcher/bin/osqueryd",
"level": "error",
"msg": "not executable. Skipping",
"reason": "signal: segmentation fault",
"ts": "2022-06-02T14:04:21.625141787Z",
"updateDir": "/usr/local/launcher/bin/osqueryd-updates"
}
I have removed the files in /usr/local/launcher/bin/osqueryd-updates/
and restarted launcher. I see that the autoupdate process is kicked off:
{
"binaryName": "osqueryd",
"caller": "autoupdate.go:165",
"level": "debug",
"msg": "Created Updater",
"stagingPath": "/var/launcher/securityonion/osqueryd-staging",
"ts": "2022-06-02T19:44:59.357491281Z",
"updater": "osqueryd",
"updatesDirectory": "/usr/local/launcher/bin/osqueryd-updates"
}
But nothing appears to change. Any thoughts on how to troubleshoot this further?defensivedepth
06/02/2022, 7:56 PMuser
06/10/2022, 7:13 PMuser
06/17/2022, 7:43 PMuser
06/24/2022, 8:13 PM