Hi again I m sorry to bother you with my questions I m tryin osquery #fleet

Hi again, I’m sorry to bother you with my question...

Bacarus

08/04/2021, 1:34 PM

Hi again, I’m sorry to bother you with my questions, I’m trying to understand how logging works and some doubts come to the surface. When an host is disconnected to fleet it continues to produce the scheduled logs and, when the connection is restored, the host send all the logs to the server. • How does the agent store those logs? • Does the agent store it locally? • Can I edit the space that is used by the agent to store those logs? Reading the osquery documentation I’ve found

--logger_rotate_size

and

--logger_rotate_max_files

, are they related to this use case or are they only for the filesystem logging plugin?

Jocelyn Bothe

08/04/2021, 1:38 PM

osquery uses a local rocksdb to store query results

🧐 1

Bacarus

08/04/2021, 2:37 PM

I think that

--buffered_log_max

is the flag that I was looking for. The value represents “_the maximum number of logs to buffer before dropping new logs”_ . So there is no way to select a predefined size of the memory used by rocksdb to buffer the logs, I can only play around the number of logs, am I right?

Bacarus

08/04/2021, 3:21 PM

The values refers to the maximum number of the logs between all the queries? for example if I have 3 scheduled queries and

--buffered_log_max=10

can I have 10 logs per query in the buffer (for a total of 30 logs) ?

Sarah Gillespie

08/04/2021, 8:42 PM

--buffered_log_max

represents all logs so in your example you would not be able to have 30 logs. Note that the 10 log limit also includes osquery status logs if you are sending those. You might also try #general to see if folks there have any thoughts 😀

👍 1

3 Views

Open in Slack

Previous Next