https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
s

Samuel Carvalho

12/23/2020, 8:05 PM
SELECT * FROM file_events;
t

theopolis

12/23/2020, 8:47 PM
Are you also changing something in 
/etc
?
The intent of this table is to watch for changes but that watch starts at the point you start osquery.
s

Stefano Bonicatti

12/23/2020, 8:52 PM
Also, be sure to pass 
--enable_file_events
if you're using osquery 4.6.0
Originally the INotify based publisher was automatically active as soon as one enabled events, but now, like the other publishers, it has its own flag to enable that.
t

theopolis

12/23/2020, 9:00 PM
Good call
I think osquery would report 
Subscriber disabled via configuration
for 
file_events
if this were 4.6.0
3 Views
Powered by