Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mystery Incorporated
10/28/2020, 6:31 PMExpiring events for subscriber: windows_events (overflowed limit 50000)z
zwass
10/28/2020, 6:34 PMLooks like you are perhaps not actually selecting against the
windows_eventsm
Mystery Incorporated
10/28/2020, 6:58 PMMy query is select * from windows_events
But seems to not be emptying the table
a
alessandrogario
10/28/2020, 6:59 PMAh I see, so you are using events; what's your --events_expiry set at?
m
Mystery Incorporated
10/28/2020, 7:00 PMIt seems I have not set an expirey which is likely mu problem
a
alessandrogario
10/28/2020, 7:01 PMIt shouldn't be a problem though, event optimization (default enabled) will not return the same data twice, so it won't log duplicates
m
Mystery Incorporated
10/28/2020, 7:01 PMor actually would it be a problem if i'm fetching the events every 10 seconds
a
alessandrogario
10/28/2020, 7:01 PMThat message is not an error, just an information
if you wish to use the same table from different queries, it's not ideal to expire everything on the first query
m
Mystery Incorporated
10/28/2020, 7:02 PMAh yes I see because data will be gone for query 2
bit somehow I am ending up with 50000 entries in the table
does osqueryi and osqueryd share same db?
a
alessandrogario
10/28/2020, 7:04 PMthat is normal, without expiration you will keep getting new events added at the end, and expiration will remove them from the start of the queue
once the max amount of events (--events_max), it will remove events on one side as new ones are added to the other side
when using scheduled queries + osqueryd, event optimization will make sure that only new events are added (i.e. you will only log new rows added since the last query)
m
Mystery Incorporated
10/28/2020, 7:06 PMso to alleviate that warning I should set max to say 49000 then?
a
alessandrogario
10/28/2020, 7:06 PMosqueryi and osqueryd are separate
👍 1
it's not a warning, it's just an informational message
everything is working as intended
m
Mystery Incorporated
10/28/2020, 7:07 PMoverflowed is usually bad isn't it?
a
alessandrogario
10/28/2020, 7:07 PMif you do not wish to query the same table from multiple queries, you can set the events_expiry so that the first query will remove them
no it's just telling you that it's performing the cleanup, nothing bad is happening
m
Mystery Incorporated
10/28/2020, 7:07 PMoh rightio
it's cleaning up at 50000