Checked the issue link you provided. Thanks. In our case we do not use the table

process_file_events

at all. The issue presents on several hosts, not so many. But still..

I’m curious what makes events invalid. And what does it exactly mean

invalid events

? What’s wrong with them?

Meanwhile, can I gather and supply any additional information to track down the root cause?

We’ve encountered this issue on the following OS: • CentOS Linux 7.9.2009 • Red Hat Enterprise Linux 8.5.0 • Red Hat Enterprise Linux 8.4.0 We also can see on those hosts the bug I’ve reported here: https://github.com/osquery/osquery/issues/8039 Somehow, osquery syslog logger plug-in writes osqueryd logs under

lvm

syslog app-name. For example from `/var/log/messages`:

# cat /var/log/messages | grep "lvm\[" | tail -n 1
Jun 20 09:13:59 splnk lvm[1242495]: {"name":"pack/InfoSec Events Audit/InfoSec Events Audit: Process","hostIdentifier":"splnk","calendarTime":"Tue Jun 20 06:13:59 2023 UTC","unixTime":1687241639,"epoch":0,"counter":9114,"numerics":false,"decorations":{"host_uuid":"7a103c42-5e68-9c61-950d-ef0d02b11be8","hostname":"splnk"},"columns":{"auid":"4294967295","cmdline":"splunk-optimize -d --msidx-comp-block-size 1024 /mnt/db/dhcp/db/hot_v1_9 -x 375529314816 --log-to--splunkd-log --write-level 1 --tsidx-target-size 1572864000","ctime":"1682590162","cwd":"\"/\"","egid":"1519","euid":"1517","gid":"1519","parent":"2180","path":"/opt/splunk/bin/splunk-optimize","pid":"1985420","time":"1687241628","uid":"1517"},"action":"added"}

@Lucas Rodriguez @Kathy Satterlee hi there 👋 don’t you have any clues?