Francisco Huerta
04/22/2021, 7:07 PMNoah Talerman
04/22/2021, 7:16 PMFrancisco Huerta
04/22/2021, 7:27 PMNoah Talerman
04/22/2021, 7:35 PMFrancisco Huerta
04/22/2021, 7:50 PMNoah Talerman
04/22/2021, 9:24 PMzwass
--verbose --tls_dump
on one of those hosts experiencing the issue and see if you can tell what they are sending?Francisco Huerta
04/22/2021, 9:59 PMzwass
Dan Achin
04/22/2021, 11:06 PMbuffered_log_max=1
purge the local DBs? We dropped that setting way down when dealing with an issues were all POSTs from many of our clients ended up with http 400 errors through our nginx layer in front of Fleet. If you control your osquery options at Fleet, this is a quick way to get all of the local data to expire out.
I've often wondered if there was a way to read the local rocks DB, or maybe a utility to check the integrity of the data?Juan Alvarez
04/22/2021, 11:07 PMDan Achin
04/22/2021, 11:16 PMzwass
osqueryd --database_dump
. buffered_log_max
will clear the buffered TLS logs, but there are other things stored in the DBdefensivedepth
04/23/2021, 11:55 AMFrancisco Huerta
04/23/2021, 12:18 PMDan Achin
04/23/2021, 5:22 PMbuffered_log_max
Francisco Huerta
04/23/2021, 7:11 PM