Newbie here, Can someone direct me on how to tune (limit growth or to set quicker rotation to files or what is a reasonable size? I have 202 clients, and generate 4 GB of logs a day between /var/log/daemon.log and /tmp/osquery_status
03/31/2020, 10:47 PM
Generally you would forward them to a SIEM where processing, alerts, etc. happen. The SIEM forwarding agent typically handles the rotation.
04/01/2020, 3:20 PM
Reading the Log aggregation doc it mentions only the files in /var/log/osquery - nothing about the 2 files i mentioned. Do you send those yourself?
04/01/2020, 4:11 PM
Are you using Launcher or vanilla osquery?
04/01/2020, 4:12 PM
I think its fleets results
Noticing in my .service i dont specify a location for results / status - since i seem to see all my other workstations in those files in tmp
and I am starting to think the /var/log/daemon is a response to /tmp filling up and erorr on cannot write
So i think thats half my problem solve on the daemon.log
So to rephrase the problem i get GBs/day from /tmp/osquery_status
Which if thats the aggregate result of client actions - then your response on sending to SIEM does seem like the most correct answer
My configuration was Compiling from source to make my own MSI
deploying to some windows stations, and running kolide
The second part of the equation I think is compiling from source used the default location (not windows pathed) for writing results on clients, so i think I may have to specify in the client flag file a location that is more windows-centric than /tmp/osquery
So my clients cannot write errors, until my fleet is full, then my fleet gets full writing that the fleet is out of space
Learning : )
also my flag file had --verbose when i was testing pushed to the clients
So does that sounds reasonable?
So it i remove -verbose and add --disable_logger=true
then it will at least not TLS log the fact the status path doesn't exist
It only sends back that it received and ran the query