xposting to <#C08V7KTJB|general> chat from <#C08VA...
# general
xposting to #general chat from #core hey team, I was wondering if I can get some help tweaking or investigating this further: on certain hosts with osquery, I frequently see
Copy code
Linesize exceeds TLS logger maximum:
warnings at 5MB, 10MB, and 13MB values I believe this indicates that a query result from osquery is larger than the
value and is being dropped/not sent to the TLS endpoint. At the moment, that value is set to the default 1MB currently, I configured osqueryd to run with the following
Copy code
I was curious if anyone would know if there are settings I can tweak to avoid dropping these results, or if there was a way I can investigate which query pack was causing such a large result?
I can certainly explore setting
to something like 15MB, but that does seem large and doesn't help me identify exactly which is the "problem" query or query pack
Unfortunately there isn’t something that says which query that line was part of, it’s not even there as an information at that point. I think the quickest way is to see the line, by enabling the local filesystem logging via
and checking the size of the results like that. Otherwise a much longer approach would be to determine which query/tables likely have either many columns or variable sized columns that can grow that much, since this doesn’t happen on all hosts.
Thanks Stefano, I'll investigate further by flipping the plugin to filesystem as well
just an update -- I was able to examine the logs in the filesystem and quickly identify which query pack was problematic. general warning about getting a list of processes that have unusual ports on high traffic servers 😅