Hi, I am enabling osquery on a linux system, and Iooking for logs on mount and umount of file systems. I see those logs on /var/log/messages file but when I check syslog_events table I dont get these logs. Did anyone face a similar issue?

If you’re trying to process syslog events, you must also configure syslog to send messages to osquery. I believe this is in the syslog documentation. Did you configure that?

yes, I see other logs. But not the mount logs I am looking for. For instance, I see this line in /var/log/messages: Jun 15 134154 uk-9742-000732763282 systemd: Unmounting /var/lib/docker/image/overlay2... And when I do: select * from syslog_events where tag like 'systemd%' and message like '%mount%'; result is empty There is another line like this: Jun 15 144036 uk-9742-000732763282 systemd: Started Sync program to install, update and maintain apps on till. and when I do: select * from syslog_events where tag like 'systemd%'; There is data

events tables are a bit weird. They may not gather events prior to the queries running. Is this osqueryi or osqueryd? What happens if you issue the query, get no logs in osquery, then trigger your mount events?

I was using osqueryi and deliberately did a mount while I have it running.