Hi Guys, I need a little help understanding the pr...
# general
Hi Guys, I need a little help understanding the problem of memory limits exceeded.
we have 16 immutable memtables (waiting to flush), max_write_buffer_number is set to 16
Expiring events for subscriber: file_events (overflowed limit 50000)
Subscriber events file_events exceeded limit 5000 by: 200
Can someone please guide what is the problem here. As of now I have only two users on the machine. One is the root with which osqueryd is running and the other is guest user. which has only access to machine is via ssh. Not sure why would limit will exceed here. I have also configured FIM as follows
Copy code
  - homes
    - /home/%%
Any help is appreciated ,thanks.
What problem are you having?
seems like compaction is not working on the rocksdb database
could it be a permission issue?
@seph I see this error why running osqueryd It also makes me doubt if I am missing some information from being recorded?
it's either limited by disk access (slow), too many events, or the rocksdb database has wrong permissions
the permission issue did happen on an old version of osquery; which version are you using on that host?
osquery version 4.4
how can I validate permissions for rocksdb?
I am using kolide fleet to schedule these queries.
select * from file_events where uid > 1000; with --event_expiry = 1
can you try to change database? You can either 1. delete the database if you don't need it anymore 2. move it elsewhere and restore it later 3. change path: --database_path=/path/to/somewhere
you can dump the permissions with
ls -halt /path/to/database
The database is (by default) located here:
okay, Let me check carry out these steps and will let you know.
Meanwhile could you please also explain why do i get "Subscriber expiration is too low for file_events"
@alessandrogario server on which osqueryd is running /var/osquery/osqery.db has only root permissions (drwx--------) but I am also starting my osqueryd with sudo permissions. osqueryd is configured to connect with remote tls server(kolide fleet) for logging logs.
will it cause any problem ?
The compaction stuff was redone in 4.5.0. So I’d say try upgrading?