Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey, I see this question asked couple of times in the past, but can't find an answer, so I will ask again: we are monitoring "/etc", but since there are files/directories there that are symlinks to /usr/share or other, is there a way to tell osquery to not monitor symlinks?

<@U01Q2U92KFE> you could consider joining `file_events` and `file` tables and adding a WHERE clause that filters `type` values of "symlink".

Janky workaround but not sure what your reasoning is for not wanting symlinks included