Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi! How do folks manage large `osqueryd.ERROR` and `osqueryd.WARNING` files in `/var/log/osquery`? We recently deployed an log rotate conf for `osqueryd.results.log` but I’m seeing WARNING and ERROR logs files between 5 and 10 MB on some clients.

Is 5-10MB considered too large? If you’re offloading them to a forwarder regularly couldn’t you just update the logrotate conf to rotate earlier?

<@U0JA5UETV> I’m sorry for the radio silence, I didn’t see this until now. We have a log rotate for conf for our `osqueryd.results.log` only, none for our `ERROR / INFO / WARNING` logs.  We could easily do the same for those log types. Do you rotate those logs regularly?