Title
#kolide
d

DG

03/31/2020, 8:32 PM
Newbie here, Can someone direct me on how to tune (limit growth or to set quicker rotation to files or what is a reasonable size? I have 202 clients, and generate 4 GB of logs a day between /var/log/daemon.log and /tmp/osquery_status
sundsta

sundsta

03/31/2020, 10:47 PM
Generally you would forward them to a SIEM where processing, alerts, etc. happen. The SIEM forwarding agent typically handles the rotation.
d

DG

04/01/2020, 3:20 PM
Reading the Log aggregation doc it mentions only the files in /var/log/osquery - nothing about the 2 files i mentioned. Do you send those yourself?
sundsta

sundsta

04/01/2020, 4:11 PM
Are you using Launcher or vanilla osquery?
d

DG

04/01/2020, 4:12 PM
I think its fleets results
4:12 PM
Noticing in my .service i dont specify a location for results / status - since i seem to see all my other workstations in those files in tmp
4:13 PM
and I am starting to think the /var/log/daemon is a response to /tmp filling up and erorr on cannot write
4:13 PM
So i think thats half my problem solve on the daemon.log
4:14 PM
So to rephrase the problem i get GBs/day from /tmp/osquery_status
4:14 PM
Which if thats the aggregate result of client actions - then your response on sending to SIEM does seem like the most correct answer
4:15 PM
My configuration was Compiling from source to make my own MSI
4:15 PM
deploying to some windows stations, and running kolide
4:21 PM
The second part of the equation I think is compiling from source used the default location (not windows pathed) for writing results on clients, so i think I may have to specify in the client flag file a location that is more windows-centric than /tmp/osquery
4:21 PM
So my clients cannot write errors, until my fleet is full, then my fleet gets full writing that the fleet is out of space
4:21 PM
Learning : )
4:26 PM
also my flag file had --verbose when i was testing pushed to the clients
4:28 PM
So does that sounds reasonable?
4:39 PM
So it i remove -verbose and add --disable_logger=true
4:39 PM
then it will at least not TLS log the fact the status path doesn't exist
4:39 PM
It only sends back that it received and ran the query