Noticing in my .service i dont specify a location for results / status - since i seem to see all my other workstations in those files in tmp

and I am starting to think the /var/log/daemon is a response to /tmp filling up and erorr on cannot write

So i think thats half my problem solve on the daemon.log

So to rephrase the problem i get GBs/day from /tmp/osquery_status

Which if thats the aggregate result of client actions - then your response on sending to SIEM does seem like the most correct answer

My configuration was Compiling from source to make my own MSI

deploying to some windows stations, and running kolide

The second part of the equation I think is compiling from source used the default location (not windows pathed) for writing results on clients, so i think I may have to specify in the client flag file a location that is more windows-centric than /tmp/osquery

So my clients cannot write errors, until my fleet is full, then my fleet gets full writing that the fleet is out of space

Learning : )

also my flag file had --verbose when i was testing pushed to the clients

So does that sounds reasonable?

So it i remove -verbose and add --disable_logger=true

then it will at least not TLS log the fact the status path doesn't exist

It only sends back that it received and ran the query