Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
l
lvferdi
11/02/2021, 2:25 PMCan someone help me with exclusions vs inclusions and which win. I have win_socket_events running and I am trying to exclude splunk events. I have the port splunk uses in the includeded ports filter but in the process_name section I exclude the splunk process name. Yes in the results I still see splunk process being reported. The only thing I can think of is that INCLUDES trump EXCLUDES and if the include matches then the exclude is ignored. Is this how it works? Or am I doing something completely incorrect.
Here is an example config that I tried. When this is running I still see the 3 process names in the exclude config being reported. Why would this config not drop the events where the process name matches those in the exclude block.
o
OpenPlgx
11/04/2021, 12:02 PM"Exclude" trumps the "Includes". https://github.com/polylogyx/osq-ext-bin#21-types-of-filters
Let us test it locally. They syntax/format looks fine to me
l
lvferdi
11/05/2021, 2:29 PMhere is the output from osqueryd starting in the foreground with the verbose flag
h
himanshu
11/07/2021, 8:07 AMNo event_filter found"plgx_event_filters":