Channels
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    Expiring events for subscriber: windows_events (overflowed limit 50000)
  • zwass

    zwass

    1 year ago
    Looks like you are perhaps not actually selecting against the
    windows_events
    table? That would clear out the buffered events into logs which could be shipped off elsewhere.
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    My query is select * from windows_events
    But seems to not be emptying the table
  • a

    alessandrogario

    1 year ago
    Ah I see, so you are using events; what's your --events_expiry set at?
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    It seems I have not set an expirey which is likely mu problem
  • a

    alessandrogario

    1 year ago
    It shouldn't be a problem though, event optimization (default enabled) will not return the same data twice, so it won't log duplicates
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    or actually would it be a problem if i'm fetching the events every 10 seconds
  • a

    alessandrogario

    1 year ago
    That message is not an error, just an information
    if you wish to use the same table from different queries, it's not ideal to expire everything on the first query
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    Ah yes I see because data will be gone for query 2
    bit somehow I am ending up with 50000 entries in the table
    does osqueryi and osqueryd share same db?
  • a

    alessandrogario

    1 year ago
    that is normal, without expiration you will keep getting new events added at the end, and expiration will remove them from the start of the queue
    once the max amount of events (--events_max), it will remove events on one side as new ones are added to the other side
    when using scheduled queries + osqueryd, event optimization will make sure that only new events are added (i.e. you will only log new rows added since the last query)
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    so to alleviate that warning I should set max to say 49000 then?
  • a

    alessandrogario

    1 year ago
    osqueryi and osqueryd are separate
    it's not a warning, it's just an informational message
    everything is working as intended
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    overflowed is usually bad isn't it?
  • a

    alessandrogario

    1 year ago
    if you do not wish to query the same table from multiple queries, you can set the events_expiry so that the first query will remove them
    no it's just telling you that it's performing the cleanup, nothing bad is happening
  • Mystery Incorporated

    Mystery Incorporated

    1 year ago
    oh rightio