11/18/2022, 7:48 PM
hey team, I was wondering if I can get some help tweaking or investigating this further: on certain hosts with osquery, I frequently see
Linesize exceeds TLS logger maximum:
warnings at 5MB, 10MB, and 13MB values I believe this indicates that a query result from osquery is larger than the
value and is being dropped/not sent to the TLS endpoint. At the moment, that value is set to the default 1MB currently, I configured osqueryd to run with the following
I was curious if anyone would know if there are settings I can tweak to avoid dropping these results, or if there was a way I can investigate which query pack was causing such a large result?
7:48 PM
I can certainly explore setting
to something like 15MB, but that does seem large and doesn't help me identify exactly which is the "problem" query or query pack