Purge logs after writing to prevent unbounded growth of buffer #70
Conversation
| // buffers. | ||
| func (e *Extension) writeAndPurgeLogs() { | ||
| for _, typ := range []logger.LogType{logger.LogTypeStatus, logger.LogTypeString} { | ||
| // Write logs |
There was a problem hiding this comment.
Is it worth checking to see if the logs are already at the limit before writing, just to purge after?
There was a problem hiding this comment.
Hmm, I'm not sure it is (such as a case where writing brings the logs back down below the limit). We're looking at a pretty abnormal scenario if the limit is ever exceeded, so I don't think it matters too much which strategy we use, but this strategy seems potentially slightly less lossy while giving similar bounding guarantees.
osquery/extension.go
Outdated
| fmt.Println("ignoring unknown log type: ", err) | ||
| level.Info(e.Opts.Logger).Log( | ||
| "msg", | ||
| fmt.Sprintf("Ignoring unknown log type: %v", typ), |
There was a problem hiding this comment.
Instead of concatenating the log type into a string, you could add it as a log_type=typ key, value. That gives the ability to filter by key/value.
| f := func(k uint64) bool { | ||
| return k == uint64FromByteKey(byteKeyFromUint64(k)) | ||
| } | ||
| if err := quick.Check(f, nil); err != nil { |
osquery/extension.go
Outdated
| "msg", | ||
| fmt.Sprintf("Buffered logs limit (%d) exceeded. Purging %d logs.", | ||
| e.Opts.MaxBufferedLogs, | ||
| deleteCount, |
There was a problem hiding this comment.
deleteCount could also be a key/value, allowing someone to extract some metrics if they're valuable. I would write something like.
"msg", "Purging buffered logs. Max limit exceeded",
"limit", e.Opts.MaxBufferedLogs,
"purged_log_count", deleteCount,
|
Great comments re logging @groob. Thank you. |
After attempting to write logs, purge the oldest logs until the
buffer is back under the limit. Limit is currently set at 500,000
logs per type (result and status).
Closes #58