Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Can someone help me with exclusions vs inclusions and which win.  I have win_socket_events running and I am trying to exclude splunk events.  I have the port splunk uses in the includeded ports filter but in the process_name section I exclude the splunk process name.  Yes in the results I still see splunk process being reported.  The only thing I can think of is that INCLUDES trump EXCLUDES and if the include matches then the exclude is ignored.  Is this how it works?  Or am I doing something completely incorrect.

Untitled.txt

Here is an example config that I tried.  When this is running I still see the 3 process names in the exclude config being reported.  Why would this config not drop the events where the process name matches those in the exclude block.

"Exclude" trumps the "Includes". <https://github.com/polylogyx/osq-ext-bin#21-types-of-filters>

Let us test it locally. They syntax/format looks fine to me

here is the output from osqueryd starting in the foreground with the verbose flag

`No event_filter found` warning should come only if osquery.conf file you are using does not have `"plgx_event_filters":` entity