Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Regarding FIM. I see heaps of inotify errors where I’m monitoring `/etc/%%`  - the errors all specify paths ending with `/`, e.g. `message=Could not add inotify watch on: /etc/pki/tls/openssl.cnf/`

These are not directories. What I’m wondering is, is there some way to recurse but also to tell it - once you get to the last folder stop there? Or do we just ignore inotify errors ending in `/`? It’s a little hard to determine _why_ the error is present - I have to presume it’s trying to watch something as a folder and failing, but, how would I know if I also have a limits issue?

I also wonder if it’s possible to not follow symlinks, as it ends up trying to watch things in /proc, /dev/null etc :thinking_face:

I found that using `file_paths_query` got around this. Tempted to look at raising an improvement for being able to use the `directory` column now :thinking_face:
```"file_paths_query": {
    "etc_config": [
      "select DISTINCT path from file where directory LIKE '/etc%%'"
    ]
  },```