https://github.com/osquery/osquery logo
Powered by
Title
h

Hello_There

04/07/2021, 2:45 PM
morning, I have a question and problem, I made a query to bring powershell events through the powershell_events table: I created a pack with this query select * from powershell events But when I did it started to get a flood of events and the traffic went up from 150MB to 1GB I realized after 5 min later .... When I realized I stopped the pack, even excludes it but still this event keeps coming is there anything to be done so that the hosts stop sending or just wait to normalize? This pack was run for 2500 hosts
1
z

zwass

04/07/2021, 3:27 PM
Potentially you could set 
--buffered_log_max
to a low value for those hosts, which should cause them to clear out the additional buffered logs.
1
h

Hello_There

04/07/2021, 4:55 PM
@zwass Nice! I'll try this right now
@zwass it worked perfectly, the buffer was cleared and the traffic practically zeroed, I will wait a few hours and return to the default values.
z

zwass

04/07/2021, 5:17 PM
Nice!
4 Views
#generalJoin Slack
Powered by