Morning all happy monday This morning i updated osquery to 5

Question

Morning all happy monday This morning i updated osquery to 5 2 0 and saw that now the events expiration time issue seems to have been fixed ```osquery gt I0124 07 36 52 546579 8828 eventfactory cpp 352 The minimum events expiration timeout for ntfs journal events has been adjusted 240``` However after performing my same test to see if i can generate some events in the ntfs journal events table i m still not getting anything Once again my testing procedure is 1 In an admin shell run `osqueryi exe flagfile=osquery flags` The interactive shell starts without issue 2 run `select from osquery events`confirming active subscribers publishers including ntfs journal events both the event publisher and subscriber are active 3 modify file C Windows Temp test txt Modifications include additional text as well as change permissions 4 repeat step 2 in the same admin shell observe no change to event count of ntfs journal events I also confirmed this by running `select from ntfs journal events ` which returned nothing

Ted Dorosheff · Answer

Another thing i ve noticed since updating to 5 2 0 is that my osquery conf file is no longer parsing correctly and i cannot figure out why Note normally i m loading config via TLS plugin but for testing i also have a local config The local config follows the same format as that which we have in fleetDM my config is SUPER barebones on my test machine and was working without issue when i was running 4 8 FYI this was ``` options host identifier hostname schedule splay percent 10 schedule windows query SELECT FROM ntfs journal events interval 300 file events query SELECT FROM file events removed false interval 300 file paths homes C Users ted exclude paths homes C Users ted test ```