Launcher can be a little "noisy" in the Windows Application event log. I'm torn between having some nice diagnostics there and burying other messages for admins/techs that review the logs. Is there a way to dial back or suppress those events if we wanted to?
05/20/2021, 10:23 PM
Right now, there is debug or not.
If you're not in debug mode, I'm curious what's too noisy. I haven't really revisited logging in awhile, so I'm sure some are noisy
05/21/2021, 2:50 AM
I could send you some examples of logged messages. Here's a screenshot that gives you an idea of the volume. It's not ridiculous or anything, but it's certainly the majority of our application log events.
And a few message examples:
caller=log.go:124 ts=2021-05-21T015015.6988951Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0520 205015.698725 2328 processes.cpp:380] Failed to get cwd for 3728 with 5" caller=processes.cpp:380
caller=log.go:124 ts=2021-05-21T015015.5536944Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0520 205015.553694 2328 processes.cpp:338] Failed to get PEB UPP for 760 with 5" caller=processes.cpp:338
caller=log.go:124 ts=2021-05-21T020940.155888Z caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="I0520 210940.155887 2328 processes.cpp:366] Failed to lookup path information for process 104" caller=processes.cpp:366
05/24/2021, 9:21 PM
Those are errors osquery sometimes emits when querying the process table. It's not wholly clear to me launcher should suppress them. Maybe?