Ahmed02/18/2021, 3:26 PM
this is the eventing part in my flags file hopefully its correct
W0218 10:08:54.518049 1393 events.cpp:311] Expiring events for subscriber: user_events (overflowed limit 500000) W0218 10:10:09.537274 1393 events.cpp:311] Expiring events for subscriber: process_events (overflowed limit 500000)
any thoughts, suggestions or help. Thanks a lot.
--audit_allow_config=true --audit_allow_sockets=true --audit_persist=true --disable_audit=false --events_max=500000 --events_expiry=86400 --disable_events=false --audit_persist --events_optimize=true
blaedj02/18/2021, 3:45 PM
number of events before expiring them. To avoid losing events, you'll need to query the table more frequently , or change the
to a larger number. Check out the flag descriptions here (if you haven't already that is 🙂 : https://osquery.readthedocs.io/en/stable/installation/cli-flags/#events-control-flags
Ahmed02/18/2021, 4:13 PM
second, and that what confused me because the expiration is
and my queries were
i was expecting to be able query before expiry not sure if there is a troubleshooting tip i can use to see if the number of events is low or what should i do next.
blaedj02/18/2021, 5:04 PM