Channels
  • p

    Prakhar

    4 years ago
    Hi, is there any option for log rotation for osquery's result logs ? If yes, please share the doc link. Thanks
  • y

    yuvalapidot

    4 years ago
    As far as I know osquery doesn't support rotation out of the box. I would recommend using logrotate on linux.
  • p

    Prakhar

    4 years ago
    Ok thanks. Just one doubt, does osquery open and closes the file decriptor everytime it writes to log file or does it keep the fd open ?
  • y

    yuvalapidot

    4 years ago
    I don't know, but I guess it doesn't. I ran into a problem when I used logrotate on kolide logs, and the fd was kept open, thus no new file was created. Logrotate allow you to use copy truncate flag, which will solve this issue. Yet I am not sure this is the same with osquery
  • zwass

    zwass

    4 years ago
    Kolide fleet works with the standard logrotation scheme of sending a
    SIGHUP
    to move to a new log file. Standard osquery doesn't not have any log rotation support afaik.