Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
demonbhao
03/30/2021, 10:10 AMHello, I found through the log that my osquery difference detection memory sends a log every 7 days. From the feedback of the log, it seems that the information querying by osquery before has been deleted within 7 days. Is this caused by the problem of RocksDB within my osquery?
Does this mean that something is wrong with my RocksDB?
t
theopolis
03/31/2021, 2:07 PMI don’t think config-check works well if osquery is running. The issue is that only one osquery process can access RocksDB, so if you have one running then the second (the config-check process) will give you warnings like above.
So this doesn’t indicate a root cause for the 0 counter you referenced above.
The backing storage (RocksDB) could be an issue. This happens exactly every 7 days? Is there any clean up scripts that you’ve added to delete RocksDB files?
What version of osquery is this?
d
demonbhao
04/01/2021, 6:32 AMHello, I checked that there is no scheduled task for deleting rocksdb files on the server. My osquery version is 4.6.0
I also found the situation of other counts, as shown below
When I stop the osquery service and use config-check again, the results are as follows