Title
#general
e

Eric

06/01/2020, 6:20 PM
Hello, I have standard osquey with Kolide fleet as TLS endpoint, have hosts with filling up over time with many thousands of .sst files under /var/osquery/osquery.db sst_dump shows much of the data is this in each of the small .sst files. Looking for info on what this data is, and is there a flag to trim this down, (maybe buffered_log_max)? 'tls_s_1590683819_50' seq:15613, type:0 => 'tls_s_1590683819_51' seq:15614, type:0 => 'tls_s_1590683819_52' seq:15615, type:0 =>
Mike Myers

Mike Myers

06/01/2020, 8:00 PM
I've heard of this happening with osquery 3.x, which version do you have?
e

Eric

06/01/2020, 8:16 PM
Mix of 4.2.0 and 4.3.0, all Linux hosts.
Mike Myers

Mike Myers

06/01/2020, 8:24 PM
Ok. Event based tables and the expiration of events from those tables can cause data to be buffered and stored to disk for a long time. One way to check is to examine the values for the 
event_expiry
 and 
events_max
 configuration options and see that they're set to appropriate values, and then also check the 
osquery_events
 table to see which tables are receiving events. If there are tables receiving events that are not getting periodically queried, then osquery will buffer up those events according to the configuration.
e

Eric

06/02/2020, 3:24 PM
Thanks for the information, for now we will disable the evened tables with disable_events as there are no queries against these and monitor size/file count.