Another question, my osqueryd seems to make a gazi...
# generalm
Mystery Incorporated
03/20/2021, 9:52 AMAnother question, my osqueryd seems to make a gazillion .info and .warning files. Is there anyway I can stop this happening?
t
theopolis
03/20/2021, 3:44 PM
I don't think so at this point in time, these are the filesystem logging tweaks you can make under the hood (these CLI flags should work in osquery since we use glog) https://github.com/google/glog/blob/master/src/logging.cc#L116
I've been experimenting with adding embedded log-rolling features to osquery but I don't have much time to work on such a big feature.
theopolis
03/20/2021, 3:46 PM
I'll go take a look at the code and see where I left off. I think I was trying to implement a per-day file roll and an easier approach would be a max-size (split by 25MB files with a configured max of 10) or something like that.
m
Mystery Incorporated
03/20/2021, 5:41 PMIt's very strange because the INFO and WARNING files are so small, some only 1KB so I have no udea why it makes so many of them?
t
theopolis
03/21/2021, 2:51 AM
this doesn't solve the exact problem you describe with having lots of INFO status logs, but it implements a basic log rotation feature: https://github.com/osquery/osquery/pull/7015/files
theopolis
03/21/2021, 2:52 AM
I expect it will need more work before it's considered working/stable.
After that lands I can follow up and add similar rotation for INFO/WARNING status log files.
The reason there are many comes from Glog's behavior of creating a new one each time osquery starts.
7 Views