https://github.com/osquery/osquery logo
Powered by
Title
m

manikant singh

10/16/2020, 10:28 AM
Hi Guys, I need a little help understanding the problem of memory limits exceeded. 
we have 16 immutable memtables (waiting to flush), max_write_buffer_number is set to 16
Expiring events for subscriber: file_events (overflowed limit 50000)
Subscriber events file_events exceeded limit 5000 by: 200
Can someone please guide what is the problem here. As of now I have only two users on the machine. One is the root with which osqueryd is running and the other is guest user. which has only access to machine is via ssh. Not sure why would limit will exceed here. I have also configured FIM as follows 
file_accesses: 
  - homes
file_paths: 
  homes: 
    - /home/%%
Any help is appreciated ,thanks.
s

seph

10/16/2020, 11:04 AM
What problem are you having?
a

alessandrogario

10/16/2020, 12:09 PM
seems like compaction is not working on the rocksdb database
could it be a permission issue?
m

manikant singh

10/16/2020, 12:11 PM
@seph I see this error why running osqueryd It also makes me doubt if I am missing some information from being recorded?
a

alessandrogario

10/16/2020, 12:13 PM
it's either limited by disk access (slow), too many events, or the rocksdb database has wrong permissions
the permission issue did happen on an old version of osquery; which version are you using on that host?
m

manikant singh

10/16/2020, 12:14 PM
osquery version 4.4
how can I validate permissions for rocksdb?
I am using kolide fleet to schedule these queries.
select * from file_events where uid > 1000; with --event_expiry = 1
a

alessandrogario

10/16/2020, 12:16 PM
can you try to change database? You can either 1. delete the database if you don't need it anymore 2. move it elsewhere and restore it later 3. change path: --database_path=/path/to/somewhere
you can dump the permissions with 
ls -halt /path/to/database
The database is (by default) located here: 
/var/osquery/osquery.db
m

manikant singh

10/16/2020, 12:18 PM
okay, Let me check carry out these steps and will let you know.
Meanwhile could you please also explain why do i get "Subscriber expiration is too low for file_events"
@alessandrogario server on which osqueryd is running /var/osquery/osqery.db has only root permissions (drwx--------) but I am also starting my osqueryd with sudo permissions. osqueryd is configured to connect with remote tls server(kolide fleet) for logging logs.
will it cause any problem ?
s

seph

10/16/2020, 1:29 PM
The compaction stuff was redone in 4.5.0. So I’d say try upgrading?
#generalJoin Slack
Powered by