Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I read the osquery doc, but I am not sure my interpretation is correct. I am trying to find:
1. what the maximum size of a log file is before it gets shipped to the logger destination
2. what is the maximum number of records a log file can hold before shipped to the logger destination

Hi <@U06TT976M62>, logs sent to a destination are buffered in the osquerydb, not saved to a file. You can modify the maximum buffer size, as well as the max number of logs to be sent at once and max log size to be sent in the osquery configuration. You can read more about how to set this <https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags:~:text=%2D%2Dlogger_tls_max_linesize%3D1048576|here>.

f you're using filesystem logging in addition to TLS logging, You can use the `--logger_rotate=true` to tell the filesystem plugin to rotate logs based on size. `--logger_rotate_size=&lt;number of bytes&gt;` and `--logger_rotate_max_files=25` will let you specify the size or number of files to trigger rotation. You can read more about that <https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags:~:text=%2D%2Dlogger_rotate%3Dfalse|here>.

Hope this helps!

I am sending them to AWS Firehose, and when they get to S3 they seem to be a file. Is the agent sending them in a file or is Firehose compacting them into files and saving in S3 as such?

Should be that:
Agent sends logs to Fleet as JSON -&gt; Fleet sends logs to Firehouse as JSON -&gt; Firehouse batches logs together and saves them to files in S3