Hello, I have standard osquey with Kolide fleet as TLS endpoint, have hosts with filling up over time with many thousands of .sst files under /var/osquery/osquery.db sst_dump shows much of the data is this in each of the small .sst files. Looking for info on what this data is, and is there a flag to trim this down, (maybe buffered_log_max)? 'tls_s_1590683819_50' seq:15613, type:0 => 'tls_s_1590683819_51' seq:15614, type:0 => 'tls_s_1590683819_52' seq:15615, type:0 =>

I've heard of this happening with osquery 3.x, which version do you have?

Mix of 4.2.0 and 4.3.0, all Linux hosts.

Ok. Event based tables and the expiration of events from those tables can cause data to be buffered and stored to disk for a long time. One way to check is to examine the values for the 

event_expiry

 and 

events_max

 configuration options and see that they're set to appropriate values, and then also check the 

osquery_events

 table to see which tables are receiving events. If there are tables receiving events that are not getting periodically queried, then osquery will buffer up those events according to the configuration.

Thanks for the information, for now we will disable the evened tables with disable_events as there are no queries against these and monitor size/file count.