https://github.com/facebook/osquery/issues/5310 Has anyone encountered this question?

not at this level. on my side, sysadmin feedback-annoyance is more to the many log files in /tmp. for osquery.db, I want to ask what interval are using for events collection? osquery.db is a buffer so lower interval should help reduce it as far as I inderstand

For osquery's log, I hand out

verbose:false

and

logger_plugin:kafka

instead of

verbose:true

and

logger_plugin:kafka,filesystem

in online environment, so it will not generate much logs in disk. And my schedule time for events tables is 1 minutes. I think it's low enough. Osquery didn't count older logs, and so can't remove it sometimes.