happy-dude11/18/2022, 7:48 PM
warnings at 5MB, 10MB, and 13MB values I believe this indicates that a query result from osquery is larger than theCopy code
Linesize exceeds TLS logger maximum:
value and is being dropped/not sent to the TLS endpoint. At the moment, that value is set to the default 1MB currently, I configured osqueryd to run with the following
I was curious if anyone would know if there are settings I can tweak to avoid dropping these results, or if there was a way I can investigate which query pack was causing such a large result?
--config_tls_max_attempts=6 --database_path=/state/osquery.db --decorations_top_level=true --disable_events=true --disable_extensions=false --disable_watchdog=false --docker_socket=/run/docker.sock --enroll_secret_path=/etc/osquery/enroll_secret.txt --enroll_tls_endpoint=<endpoint> --host_identifier=hostname --logger_plugin=tls --logger_tls_endpoint=<endpoint> --logger_tls_max_linesize=1048576 --logger_tls_period=60 --read_max=209715200 --table_delay=200 --tls_hostname=<endpoint> --tls_session_reuse=true --tls_session_timeout=3600 --utc=true --watchdog_memory_limit=900
to something like 15MB, but that does seem large and doesn't help me identify exactly which is the "problem" query or query pack