valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-06 17:45:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improve event expiration mechanism (#5335)

Browse Source 
Summary:
Pull Request resolved: https://github.com/facebook/osquery/pull/5335

It was reported that osquery eventing mechanism uses too much disk space. As daebeike found it, event expiring was failing in some cases to be executed.

More specifically, expiration check was supposed to run every time EVENTS_CHECKPOINT number of events where added. However, in between the checks for expiration more than EVENTS_CHECKPOINT events could be added and no expiration would be executed. I suppose, this behaviour would be easily reproducible under the high load

Reviewed By: fmanco

Differential Revision: D13565250

fbshipit-source-id: 78bbad3f7aded4beb9e5f42bafd9184e9c2f8efb
This commit is contained in:
George Guliashvili 2019-01-14 10:50:37 -08:00 committed by Facebook Github Bot
parent 3d5309b615
commit 96de926d1c
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
osquery/events/events.cpp
View File

@ -615,18 +615,18 @@ Status EventSubscriberPlugin::addBatch(std::vector<Row>& row_list,
event_id_list.push_back(std::move(row["eid"]));
event_count_++;
// Use the last EventID and a checkpoint bucket size to periodically apply
// buffer eviction. Eviction occurs if the total count exceeds events_max.
if (last_eid_ % EVENTS_CHECKPOINT == 0) {
expireCheck();
}
}
if (database_data.empty()) {
return Status(1, "Failed to process the rows");
}
// Use the last EventID and a checkpoint bucket size to periodically apply
// buffer eviction. Eviction occurs if the total count exceeds events_max.
if (last_eid_ % EVENTS_CHECKPOINT == 0) {
expireCheck();
}
// Save the batched data inside the database
auto status = setDatabaseBatch(kEvents, database_data);
if (!status.ok()) {