Has anyone seen Kolide Launcher fill up the

/tmp

directory and know why that happens?

If you didn't configure a TLS endpoint, the default location for osquery_status and osquery_result is in

/tmp

Thanks for the response @sundsta. I do have a TLS endpoint setup (Fleet), but it goes offline frequently as I'm doing experimenting in a lab environment. When Fleet goes offline, will it default back to logging results to

/tmp

?

Only if you specified the

--root_directory

to be somewhere in

/tmp

Hmm. Well, I don't have that specified. I just have a systemd service that runs the following command:

/usr/local/bin/launcher \
     --hostname=$FleetServer:FleetPort \
     --enroll_secret=$FleetSecret \
     --autoupdate \
     --osqueryd_path=/usr/local/bin/osqueryd

If you don’t specify a database_path it will create a new path in /tmp each time it starts up. I’m guessing you have a bunch of old DBs lying around.

(hope that didn't come off as rude, I just still don't understand why it's doing this)

Perhaps

/var/launcher/

. If you use package-builder it makes a path in

/var

.

That makes sense. Yeah, I've mostly used package-builder outside of this lab environment so I've never encountered this. Thanks for the explanation.

Ah sorry, the flag you want is

--root_directory

.

Okay, cool.