Hey guys, I was wondering, did someone already start using

--osquery_host_identifier=instance

in 3.9.0? We started using it but normally we have around 6k systems and it is already now at almost 60k, I already changed the

Host Expiry Window

to 1 day, but it is still accumulating. It seems to happen to at least Osquery v4.1.2 and v4.2.0, it creates 100+ entries for same system and if I look at "Last Seen" it looks like it creates a new entry every 5 minutes. Has anyone else noticed this behavior? It happens on different kinds of systems some VM and Laptops.

Are you able to get the

--verbose --tls_dump

logs from osquery on those systems? It would be helpful to try to understand why they are re-enrolling.

Not at this moment, we are planning on upgrading to 4.6.0 soon, maybe that might solve the issue...?

I don't know. Certainly osquery has changed quite a bit from 4.2.0 to 4.6.0 and it's possible that could be connected.

I understand, I will see if I can get a debug session before the upgrade to see if something is visible. I thought maybe someone noticed something similar when using the new

instance

option.

Were you experiencing problems with duplicate hosts when using the default setting?

No, at that time we were experiencing high amount of host re-enrollment because of same UUID, that was the reason we moved to

instance

but wasn't expecting this behavior.