I've had <file access monitoring> enabled at my or...
# macoss
sean.cavanaugh
10/09/2024, 2:43 PMI've had file access monitoring enabled at my org for several months via the
es_process_file_eventssean.cavanaugh
10/09/2024, 2:44 PM Copy code
# Fleet configurations
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=60
--distributed_interval=10
--distributed_plugin=tls
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--events_expiry=1
--disable_distributed=false
--enroll_tls_endpoint=/api/v1/osquery/enroll
--tls_hostname=<fleet fqdn>
--tls_server_certs=/var/osquery/amazon.crt
--enroll_secret_path=/var/osquery/kolide_secret
# Logs results to Fleet server
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
# When True, each row from a snapshot event is logged individually
--logger_snapshot_event_type=true
# Sets host identifier to hostname
--host_identifier=hostname
# Disables sensitive tables
--disable_tables=shell_history
# Sets query pack delimiter to "/"
--pack_delimiter=/
# Watchdog configs
--watchdog_memory_limit=500
--watchdog_utilization_limit=130
# Eventing configurations
--disable_events=false
--disable_endpointsecurity=false
--disable_endpointsecurity_fim=false
--es_fim_enable_open_events=true
--enable_keyboard_events=true
--enable_mouse_events=true
# Displays matching rule strings from yara scan results
--enable_yara_string=truesean.cavanaugh
10/09/2024, 2:45 PMI've enabled verbose logging on my host specifically to see if there are any messages that are logged when/if it stops again.
sean.cavanaugh
10/09/2024, 5:12 PMwe have
--events_expiry=1eventss
sharvil
10/11/2024, 6:36 AMJust seeing this, taking a look
5 Views