I tried select * from file_events; to test out file creation (use touch comand) an dit works; but how can when I jsut READ the very same file again using more or ls; it is not showing the file was accessed as READ. how can I do that?

See 'File Accesses' on this page: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ Have you configured

file_accesses

with the folders in your osquery config? This is additional config on top of the

file_paths

config that must be set up, because file accesses can be very noisy and have a lot of overhead. It's an explicit opt-in.

yes I did { “options”: { “disable_events”: “false” }, “schedule”: { “file_events”: { “query”: “SELECT * FROM file_events;“, “interval”: 300 } }, “file_paths”: { “core-services”: [ “/Users/etsang/dev/src/cd.123.com/core-services/%%” ] }, “file_accesses”: [“core-services”] }

I don't think

ls

would open the file though

ah yeah that's true. Not sure about

more

though; seems like that should open the file?

more

would definitely open the file

i tried both but no entry