hi i am performing file integrating monitoring using osqueryd this is my config file { "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "pidfile": "/var/osquery/osquery.pidfile" }, "schedule": { "file_events": { "query": "select * from file_events;", "interval": 30 } }, "file_paths": { "root": [ "/%" ] } } this is my flag file --config_plugin=filesystem --config_path=/etc/osquery/osquery.conf --logger_plugin=filesystem --logger_path=/var/log/osquery --disable_logging=false --log_result_events=true --schedule_splay_percent=10 --pidfile=/var/osquery/osquery.pidfile --events_expiry=3600 --database_path=/var/osquery/osquery.db --verbose=false --worker_threads=2 --disable_events=false --disable_audit=false --audit_allow_config=true --host_identifier=hostname --enable_syslog=true --audit_allow_sockets=true --schedule_default_interval=3600 i am using this command to run my osueryd sudo osqueryd --config_path /etc/osquery/osquery.example.conf now when i change the content of the file i created for the test purpose in the specified path to be monitored, i don't see any record in file_events table neither in log files

Hi, @zahida naeem! If that's the exact command you're using, it looks like you're missing the

=

.

—config_path=/path/to/file.conf

but still i'm getting no record in file_events table

hey @zahida naeem it seems you are missing,

--enable_file_events=true

in your flags (sorry if it's already there and I missed it), can you also add

--verbose

to turn on verbose logging in care there are any debug messages

Hi Zahida, for that test file you would need to add a % to the Downloads folder path like this

"tmp": [ "/home/slyb/Downloads/%", "/tmp/%" ]

I do see that file_event listener is been successfully added, and that it’s also executing the scheduled file_events query..

how to access those files in osquery?

you can test the permission by running

select * from file where path = $testfile

I am not sure I understand your question, but the results of that scheduled

file_events

query would be in

/var/log/osquery/results.log

, is that not the case?

I have 2 other steps for you 1 remove the scheduled query for file_events and trying running it manually (after deleting and recreating file) 2 check the

osqueryd.snapshots.log

file under

/var/log/osquery/

when i run it manually i got the following error table file_events is event based but events are disabled

are you using osqueryi? you will need to pass in the same flags (disable_events=false and enable_file_events=true)

ok,I ran the osqueryi passing these flags and i got the desired result 🙂 but the problem is i'm doing it manually everytime i create or modify a file ...that's why i added this query in osquery config file so that it can be scheduled but the probelm the daeom is running this query but not storing result anywhere

Just to clarify, are you running

osqueryi

as root there?

yes

It definitely looks like it should be showing up now. Has the scheduled query triggered since making the changes? Do you get any results if you run a live query?

problem resolved🤩 i created a pack of fim and added in my config file and it works as a charm