Hi, is there any option for log rotation for osquery's result logs ? If yes, please share the doc link. Thanks

As far as I know osquery doesn't support rotation out of the box. I would recommend using logrotate on linux.

Ok thanks. Just one doubt, does osquery open and closes the file decriptor everytime it writes to log file or does it keep the fd open ?

I don't know, but I guess it doesn't. I ran into a problem when I used logrotate on kolide logs, and the fd was kept open, thus no new file was created. Logrotate allow you to use copy truncate flag, which will solve this issue. Yet I am not sure this is the same with osquery

Kolide fleet works with the standard logrotation scheme of sending a

SIGHUP

to move to a new log file. Standard osquery doesn't not have any log rotation support afaik.

ok thanks