Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Samuel Carvalho
12/23/2020, 8:05 PMSELECT * FROM file_events;t
theopolis
12/23/2020, 8:47 PMAre you also changing something in
/etcThe intent of this table is to watch for changes but that watch starts at the point you start osquery.
s
Stefano Bonicatti
12/23/2020, 8:52 PMAlso, be sure to pass
--enable_file_eventsOriginally the INotify based publisher was automatically active as soon as one enabled events, but now, like the other publishers, it has its own flag to enable that.
t
theopolis
12/23/2020, 9:00 PMGood call
I think osquery would report
Subscriber disabled via configurationfile_events