Hi Guys I need a little help understanding the problem of me osquery #general

Hi Guys, I need a little help understanding the pr...

manikant singh

10/16/2020, 10:28 AM

Hi Guys, I need a little help understanding the problem of memory limits exceeded.

we have 16 immutable memtables (waiting to flush), max_write_buffer_number is set to 16

Expiring events for subscriber: file_events (overflowed limit 50000)

Subscriber events file_events exceeded limit 5000 by: 200

Can someone please guide what is the problem here. As of now I have only two users on the machine. One is the root with which osqueryd is running and the other is guest user. which has only access to machine is via ssh. Not sure why would limit will exceed here. I have also configured FIM as follows

Copy code

file_accesses: 
  - homes
file_paths: 
  homes: 
    - /home/%%

Any help is appreciated ,thanks.

seph

10/16/2020, 11:04 AM

What problem are you having?

alessandrogario

10/16/2020, 12:09 PM

seems like compaction is not working on the rocksdb database

alessandrogario

10/16/2020, 12:09 PM

could it be a permission issue?

manikant singh

10/16/2020, 12:11 PM

@seph I see this error why running osqueryd It also makes me doubt if I am missing some information from being recorded?

alessandrogario

10/16/2020, 12:13 PM

it's either limited by disk access (slow), too many events, or the rocksdb database has wrong permissions

alessandrogario

10/16/2020, 12:13 PM

the permission issue did happen on an old version of osquery; which version are you using on that host?

manikant singh

10/16/2020, 12:14 PM

osquery version 4.4

manikant singh

10/16/2020, 12:15 PM

how can I validate permissions for rocksdb?

manikant singh

10/16/2020, 12:15 PM

I am using kolide fleet to schedule these queries.

manikant singh

10/16/2020, 12:15 PM

select * from file_events where uid > 1000; with --event_expiry = 1

alessandrogario

10/16/2020, 12:16 PM

can you try to change database? You can either 1. delete the database if you don't need it anymore 2. move it elsewhere and restore it later 3. change path: --database_path=/path/to/somewhere

alessandrogario

10/16/2020, 12:16 PM

you can dump the permissions with

ls -halt /path/to/database

alessandrogario

10/16/2020, 12:16 PM

The database is (by default) located here:

/var/osquery/osquery.db

manikant singh

10/16/2020, 12:18 PM

okay, Let me check carry out these steps and will let you know.

manikant singh

10/16/2020, 12:20 PM

Meanwhile could you please also explain why do i get "Subscriber expiration is too low for file_events"

manikant singh

10/16/2020, 12:42 PM

@alessandrogario server on which osqueryd is running /var/osquery/osqery.db has only root permissions (drwx--------) but I am also starting my osqueryd with sudo permissions. osqueryd is configured to connect with remote tls server(kolide fleet) for logging logs.

manikant singh

10/16/2020, 12:42 PM

will it cause any problem ?

seph

10/16/2020, 1:29 PM

The compaction stuff was redone in 4.5.0. So I’d say try upgrading?

3 Views

Open in Slack

Previous Next