https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
a

AP

03/25/2022, 11:10 AM
Hello! Ran into the following error, let me know if anyone knows how to fix it. Error: "dial unix /var/osquery/sock/osquery.em: connect: connection refused" I could see "/var/osquery/sock/osquery.em" was getting dropped frequently. When /var/osquery/sock/osquery.db is dropped the error went away, not sure what was causing this issue. The size of /var/osquery/sock/osquery.db was 473MB at the time when issue occurred, if that is relevant. Please help debug the issue. I have multiple machines failing for the same, hence need to find the root cause so that it doesn't happen again.
s

seph

03/25/2022, 2:30 PM
What is producing that error?
/var/osquery/sock/osquery.em
is the socket osquery uses for thrift communications with extensions.
a

AP

03/28/2022, 5:49 AM
Hunch is too many requests for socket? But why would db size would increase drastically? If that os related(as dropping db cleared up the issue), can we use some flag which would control db size?
There are multiple .sst files getting created inside db.
Looks like the following flags in cong=f file might help: "events_optimize": "true", "events_expiry": "1"
These flags too doesn't seem to get applied
s

seph

03/29/2022, 2:58 PM
I don’t know why DB size would have any impact here.
Do you have extensions? What is producing that error?
16 Views
Powered by