Touching back on the above. I believe that i am having an issue, the issue being no events showing up in ntfs_journal_events, and now also powershell_events, even after conducting actions which i believe should populate events in those tables. However, perhaps my method of testing weather or not the issue persists is fundamentally wrong. My process to test has been: 1. run

osqueryi.exe --flagfile=osquery.flags

from C:\Program Files\osquery. remote config (fleetDM) is successfully loaded, as corroborated by running

--tls_dump

in another separate process at another time (no conflicting PIDs). 2. within osqueryi.exe run

select * from osquery_events;

. ntfs_journal_events and powershell_events is active. 3. From powershell (though i have also tested via UI and CMD shell) write text files to directories monitored via

file_paths

. ex:

- 'C:\Windows\Temp\'

is listed in `file_paths`and i write text files to this directory, as well as modify existing files within this directory. 4. back in my osqueryi.exe shell, run

select * from osquery_events;

again and see that those test events have still not changed the events counter for

ntfs_journal_events

or

powershell_events

. Both of those tables still read 0 events.

Was the osqueryi shell running the whole time, or did you restart it in step 4?

Running the whole time