10/14/2022, 1:39 AM
Hi osquery team, i setup a FIM through fleet UI like overrides: platforms: all: file_paths: etc: - /etc/osquery/% exclude_paths: tmp: - /tmp/too_many_events/ homes: - /home/not_to_monitor/.ssh/%% and i can see that cfg has been pushed to agent side but it doesn't work as expected when i creating new file under the cfg folder, there is no event generated in file_events table. And i found some err in the system log of osquery Oct 14 01:32:59 n121-038-121 osqueryd[563006]: {"data":[{"hostIdentifier":"XXX","calendarTime":"Fri Oct 14 01:32:47 2022 UTC","unixTime":"1665711167","severity":"0","filename":"auditdnetlink.cpp","line":"745","message":"Malformed audit record received","version":"5.4.0-dirty","decorations":{"host_uuid":"XXX","hostname":"XXX"}},{"hostIdentifier":"XXX","calendarTime":"Fri Oct 14 01:32:47 2022 UTC","unixTime":"1665711167"I1014 01:32:59.163120 563128 config.cpp:1238] Refreshing configuration state Does it mean the audit did not begins as expected? And how to fix it?