Channels
  • Hello_There

    Hello_There

    1 year ago
    morning, I have a question and problem, I made a query to bring powershell events through the powershell_events table: I created a pack with this query select * from powershell events But when I did it started to get a flood of events and the traffic went up from 150MB to 1GB I realized after 5 min later .... When I realized I stopped the pack, even excludes it but still this event keeps coming is there anything to be done so that the hosts stop sending or just wait to normalize? This pack was run for 2500 hosts
  • zwass

    zwass

    1 year ago
    Potentially you could set
    --buffered_log_max
    to a low value for those hosts, which should cause them to clear out the additional buffered logs.
  • Hello_There

    Hello_There

    1 year ago
    @zwass Nice! I'll try this right now
    @zwass it worked perfectly, the buffer was cleared and the traffic practically zeroed, I will wait a few hours and return to the default values.