1ihor1

Hi, just wanted to add that we face memory leak with sysmon on different linux OS versions (RHEL, CentOS, Debian). The amount of memory used by sysmon is increasing all...

An example of sysmon event causing the error from syslog_pipe: `"2024-07-25T11:03:53.915671-04:00","kube13","6","user","sysmon:"," 154100x8000000000000000696976Linux-Sysmon/Operationalkube13-2024-07-25 15:03:47.971{f4ec185a-6953-66a2-a57f-7f0000000000}1236091/usr/sbin/runc-----runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/0e5118708f10afe5830067bd7ac23726194d53583dd76058c63d34b99576f429/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process121168380 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/0e5118708f10afe5830067bd7ac23726194d53583dd76058c63d34b99576f429/341459b98e6f0fb6dedf855e9406883620462b5afe587723ba5e30cbf25dbc15.pid 0e5118708f10afe5830067bd7ac23726194d53583dd76058c63d34b99576f429/run/containerd/io.containerd.runtime.v2.task/k8s.io/409e248a1d42826571e5a4c7bb6fae69fb8a3ba70439d554f61417c3ead53ef4root{f4ec185a-0000-0000-0000-000000000000}04294967295no levelSHA256=75411d68af7acf493163a6caab185fe41bf5bf927248c0f032a0627deadd2213{00000000-0000-0000-0000-000000000000}10410---"`

when we've filtered out events like I'd mentioned above at sysmon level, osquery stopped showing errors during syslog events processing

In my case, I encounter the issue with all files — the hash table doesn't return any data. I believe the 50MB file size limitation is documented and is intended...