Hi 👋 , We are seeing a trend across our macos machines where the schedule counter for shell_history resets to 0 own its own. As a result, we keep getting duplicates old events into our logging endpoint. Can someone provide a guidance on how to start troubleshooting this? We havent been able to pinpoint the exact timestamp of the reset, and to guess what might caused this. In case it’s necessary, we are still running the older version of osquery - 4.x Thanks.

Could it be this?

When

epoch

changes, counter will be reset back to

0

.

(from wiki, Deployment/Logging)

Thank you for the response. Unfortunately, when I check for that epoch field, the value always shows 0. Is that expected?

My understanding of the

epoch

is that it is how osquery knows the last time event results were gathered, so that it doesn't re-collect events older than that timestamp.

Hmm surely what we’re seeing now is interesting then because the epoch value never change. Okay, I will see what I can do to investigate this further. Thanks.