Looks to me like that article goes to great length...
# generalm
Mystery Incorporated
10/25/2020, 9:34 AMLooks to me like that article goes to great lengths to tell us about these events without mentioning how the f we turn them on....
a
alessandrogario
10/25/2020, 9:38 AM
We need to update the articles, as we very recently changed the flags on Windows (some features used to get automatically enabled causing confusion to users)
alessandrogario
10/25/2020, 9:39 AM
As a general rule, everything should be explicitly enabled; if something is currently being enabled automatically then it's a bug
alessandrogario
10/25/2020, 9:40 AM
To enable an evented table you usually
1. enable events: disable_events=false
2. enable an event publisher (example: enable_audit=true)
3. enable one or more subscribers (a subscriber populates a table) example: enable_audit_process_events=true
alessandrogario
10/25/2020, 9:41 AM
i am not currently at the computer, but lookinh at the osqueryd.exe --help output, it should list the required cmdline flags
alessandrogario
10/25/2020, 9:42 AM
could be something similar to
disable_events=false enable_ntfs_journal_events=true
alessandrogario
10/25/2020, 9:43 AM
we'll update the blogpost to reflect the recent config changes!
👍 1
m
Mystery Incorporated
10/25/2020, 10:08 AMIs there a list of event publishers somewhere?
a
alessandrogario
10/25/2020, 1:04 PM
you can run SELECT * FROM osquery_events using osqueryi
👍 1
6 Views