hi all We have osqueryd.snapshots.log file is very large on certain servers. about 1GB. What would be the reason for that behaviour?

That log is where the results of "snapshot" queries go. You need to implement some sort of system to consume those logs and rotate/truncate/delete the log files. If you aren't using the results, perhaps look at reducing the interval on those queries or unscheduling them so that you don't fill up the log file.

Thanks for reply. In my case we use the tls for transport to kolide server. is that means that kolide\fleet doesn't succeed to handle all the logs. Is it possible to define max size or data retention?

This means that your logs are going to the local filesystem. Either the logs are not going to the Fleet server or it is configured to go to both.

that is weird...tomorrow i'll recheck the all the configs thanks!