Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
f
Francisco Huerta
04/22/2021, 7:07 PMHi, guys. In the seek of your help again: is there any way we can instruct the agents from Fleet to purge the RocksDB contents? Following with our tests we see a number of agents that have become unstable and we suspect it might be related to their internal database. Is there any way we could handle this cleanup centrally? Any advise or similar experiences?
n
Noah Talerman
04/22/2021, 7:16 PMHi @Francisco Huerta. What do you mean when you use the phrase “become unstable?” Are these agents failing to communicate with Fleet?
f
Francisco Huerta
04/22/2021, 7:27 PMThanks, @Noah Talerman. We see errors from those agents trying to establish a connection to send data to the Fleet for example
n
Noah Talerman
04/22/2021, 7:35 PMGot it. Do you mind sharing the errors you’re seeing for those agents in this thread?
f
Francisco Huerta
04/22/2021, 7:50 PM👍 1
there you go
n
Noah Talerman
04/22/2021, 9:24 PMThank you! I don’t have an immediate answer to your question on purging RocksDB via Fleet. Working on getting an answer for you now.
z
zwass
04/22/2021, 9:33 PMIf you want to fully purge the rocksdb database you'd need to delete the database directory on the host. Can you run
--verbose --tls_dumpf
Francisco Huerta
04/22/2021, 9:59 PMthanks both. yep, we're familiarized with purging the contents of the directory but we were looking at something automatic and/or centralized
thanks @zwass @Noah Talerman
z
zwass
04/22/2021, 10:15 PMThis seems like a feature that could be useful to add to Orbit
👍 2
d
Dan Achin
04/22/2021, 11:06 PMFor all intents and purposes, wouldn't setting
buffered_log_max=1j
Juan Alvarez
04/22/2021, 11:07 PMI tried that parameter but that did not work neither
you can use sst_dump to see what is in the DB
d
Dan Achin
04/22/2021, 11:16 PMthanks, will look at sst_dump
z
zwass
04/22/2021, 11:53 PMosqueryd --database_dumpbuffered_log_max👍 1
d
defensivedepth
04/23/2021, 11:55 AMIs this a known osquery issue? I dont recall ever seeing that errror
f
Francisco Huerta
04/23/2021, 12:18 PMOk, so it seems we've got some stuff to look into: we've discovered some of the hosts that we are monitoring are particularly chatty when it comes to the generation of win events. A step by step description would be as follows:
1. Those servers have packs configured with queries that collect all win events every 60s (incremental).
2. Apparently, the number of events collected exceeds the current events limit per TLS connection (1024), causing the a local buffering effect in the osquery agent.
3. Those servers keeping the pace in terms of events generation (> 1024 per minute) continue queuing those over and over, resulting in a ever-growing buffer
4. Fleet servers, on their side, experience some TLS but also unexpected JSON EOFs as shown above
The result is that 'unstable' condition I was mentioning at the beginning, a considerable amount of data stored locally that never gets purged and some other side effects (e.g., an increase in the I/O operations in the hosts disks)
All this is the theory we are exploring and of course the first thing to look at is the tweaking of the TLS events limit, together with a lower interval for the events packs (e.g., every 30s or even less)
Any other opinions, experiences are much appreciated. I'll keep everyone posted on the progress here just in case this helps anyone else.
d
Dan Achin
04/23/2021, 5:22 PMinteresting
this is somewhat similar to what we saw a few weeks ago and I just checked our logs and see we used to get those EOF messages as well. we didn't focus on those particular errors as there were only a few hundred, but they do seem to have stopped once we did a mass expiration of locally buffered data by dropping do the
buffered_log_maxOur issue manifested itself with massive bandwidth consumption from clients as they got stuck trying to send buffered log data to Fleet but were unable to for long periods of time.
A lot of stuff about it is here in case anyone wants to read it:
https://github.com/osquery/osquery/issues/7021
f
Francisco Huerta
04/23/2021, 7:11 PMthanks, @Dan Achin, good insights too
👍 1