Creating many SST files was a problem with an earl...
# corem
Mike Myers
04/22/2021, 5:49 PMCreating many SST files was a problem with an earlier version of osquery, are you running a recent version?
Mike Myers
04/22/2021, 5:50 PMj
Juan Alvarez
04/22/2021, 5:52 PMwe are running 4.6.0
Juan Alvarez
04/22/2021, 5:53 PMsaw that before github issue before but i understood it would not apply to 4.6.0
t
theopolis
04/22/2021, 6:07 PM
Are you comfortable sharing your db with me to debug?
j
Juan Alvarez
04/22/2021, 6:11 PMi cant share it unfortunately 😞 Is there any steps i could take to debug?
Juan Alvarez
04/22/2021, 7:04 PMwe have seen that at some point we created many powershell_events that were included there (pretty big ones). I have disabled powershell_events now, but would that not cleanup de db?
Juan Alvarez
04/22/2021, 7:04 PMthat table was never queried, tho it was enabled in the flags
t
theopolis
04/23/2021, 1:06 PM
That could be it, osquery will store the last 50k by default then start removing batches
j
Juan Alvarez
04/23/2021, 1:12 PMolder SST files do never get deleted? or should it remove them?
Juan Alvarez
04/26/2021, 11:00 PMfinally, i reproduced the symptoms locally and uploaded a database dump, i have created this: https://github.com/osquery/osquery/issues/7079
🆒 1
4 Views