alessandrogario
09/29/2020, 4:39 PMCptOfEvilMinions
09/29/2020, 5:20 PMalessandrogario
09/29/2020, 5:21 PMCptOfEvilMinions
09/29/2020, 5:33 PMsudo osqueryd -S --verbose --enable_bpf_socket_events --enable_bpf_process_events --disable_events=false
but received
ubuntuvm:/tmp/20200929_osquery_pr6571_bpf$ sudo osqueryd -S --verbose --enable_bpf_socket_events --enable_bpf_process_events --disable_events=false
ERROR: unknown command line flag 'enable_bpf_process_events'
ERROR: unknown command line flag 'enable_bpf_socket_events'
alessandrogario
09/29/2020, 5:37 PMCptOfEvilMinions
09/29/2020, 5:46 PMalessandrogario
09/29/2020, 5:52 PMconst std::size_t kPerfEventArraySize{12U};
const std::size_t kBufferStorageSize{4096U};
const std::size_t kEventMapSize{2048};
kPerfEventArraySize = power of 2, determines how big the main ring buffer containing basic types is (integers, pointers, process id, uid....)
Memory usage: 2^kPerfEventArraySize * cpu_count
kBufferStorageSize = how many slots of 4k bytes are allocated in each BufferStorage object. 1 slot = 1 string (example: filename in open) or buffer (example: sockaddr in connect)
Memory usage: (kBufferStorageSize * 4k * cpu_count) for each buffer storage (we currently have 4)
kEventMapSize: memory map used to merge the enter tracepoint with the exit tracepoint. Each slot is really small, and its memory usage is low