https://github.com/osquery/osquery logo
Powered by
#core
Title
m

Mike Myers

04/22/2021, 5:49 PM
Creating many SST files was a problem with an earlier version of osquery, are you running a recent version?
j

Juan Alvarez

04/22/2021, 5:52 PM
we are running 4.6.0
saw that before github issue before but i understood it would not apply to 4.6.0
t

theopolis

04/22/2021, 6:07 PM
Are you comfortable sharing your db with me to debug?
j

Juan Alvarez

04/22/2021, 6:11 PM
i cant share it unfortunately 😞 Is there any steps i could take to debug?
we have seen that at some point we created many powershell_events that were included there (pretty big ones). I have disabled powershell_events now, but would that not cleanup de db?
that table was never queried, tho it was enabled in the flags
t

theopolis

04/23/2021, 1:06 PM
That could be it, osquery will store the last 50k by default then start removing batches
j

Juan Alvarez

04/23/2021, 1:12 PM
older SST files do never get deleted? or should it remove them?
finally, i reproduced the symptoms locally and uploaded a database dump, i have created this: https://github.com/osquery/osquery/issues/7079
🆒 1
2 Views
Powered by