Hi How do folks manage large `osqueryd ERROR` and `osqueryd

Question

Hi How do folks manage large `osqueryd ERROR` and `osqueryd WARNING` files in ` var log osquery` We recently deployed an log rotate conf for `osqueryd results log` but I m seeing WARNING and ERROR logs files between 5 and 10 MB on some clients

clong · Answer

Is 5 10MB considered too large If you re offloading them to a forwarder regularly couldn t you just update the logrotate conf to rotate earlier

harveywells · Answer

< clong> I m sorry for the radio silence I didn t see this until now We have a log rotate for conf for our `osqueryd results log` only none for our `ERROR INFO WARNING` logs We could easily do the same for those log types Do you rotate those logs regularly