Can anyone point me to where the ERROR WARNING and INFO symlinks are created in the source code? Trying to figure out what logic's used.

Haven't looked at this in a while, but it might be done in

glog

rather than directly in the osquery source.

Where to log is somewhat decided by glog yes, but we also provide destinations for specific log levels here https://github.com/osquery/osquery/blob/08736648aacaefbdfc90bc2b87acc4414fd6c9ec/plugins/logger/filesystem_logger.cpp#L249-L252 Though how I see it currently working is that .INFO contains everything from INFO and up (controlled by the logger_min_status flag), .WARNING contains from the warnings and up (so also errors) and .ERROR contains errors only.

You rock, guys; thanks so much!