Hi again I m sorry to bother you with my questions I m tryin

Question

Hi again I m sorry to bother you with my questions I m trying to understand how logging works and some doubts come to the surface When an host is disconnected to fleet it continues to produce the scheduled logs and when the connection is restored the host send all the logs to the server How does the agent store those logs Does the agent store it locally Can I edit the space that is used by the agent to store those logs Reading the <https osquery readthedocs io en stable installation cli flags loggingresults flags|osquery documentation> I ve found ` logger rotate size` and ` logger rotate max files` are they related to this use case or are they only for the filesystem logging plugin

Jocelyn Bothe · Answer

osquery uses a local rocksdb to store query results

Bacarus · Answer

I think that ` buffered log max` is the flag that I was looking for The value represents the maximum number of logs to buffer before dropping new logs So there is no way to select a predefined size of the memory used by rocksdb to buffer the logs I can only play around the number of logs am I right

Bacarus · Answer

The values refers to the maximum number of the logs between all the queries for example if I have 3 scheduled queries and ` buffered log max=10` can I have 10 logs per query in the buffer for a total of 30 logs

Sarah Gillespie · Answer

` buffered log max` represents all logs so in your example you would not be able to have 30 logs Note that the 10 log limit also includes osquery status logs if you are sending those You might also try < C08V7KTJB|general> to see if folks there have any thoughts grinning