I ran into a problem earlier today running this query from a

Question

I ran into a problem earlier today running this query from akamai <https www akamai com blog security research openssl vulnerability how to effectively prepare ~ text=vendors 20as 20well What 20do 20I 20do 20now 3F While 20there 20is|https www akamai com blog security research openssl vulnerability how to effectively prepare ~ text=vendors 20as 20we ow 3F While 20there 20is> to find vulnerable openssl versions on osquery 4 8 0 causing all of the servers queried to use large amounts of memory that was not released till the server was restarted I m trying to figure out if the osquery watchdog process is enabled by default and if it just failed to terminate the process Or is watchdog something that has to be enabled Also i think this yara bug was fixed in 5 4 0 which I need to upgrade to Mainly just trying to figure out the root cause

javuto · Answer

The watchdog is enabled by default you will have to use the flag ` disable watchdog=true` to disable completely although it is recommended to just set the level to ` 1` with the flag ` watchdog level= 1`

javuto · Answer

You can see more information about those flags and in general the watchdog in <https osquery readthedocs io en stable installation cli flags flagfile>

javuto · Answer

If I were you I would upgrade osquery to `5 5 1` and try again yara rules can take up a lot of resources but I will only start disabling the watchdog after I tried with a newer version of osquery Good luck

Jason Roberts · Answer

< javuto> I wanted the watchdog to kill the process It failed to do that which caused out of memory issues on the servers osquery was running on = I will upgrade the clients though