<@UKBRAB1UL> here is a fix <https://github.com/osq...
# generalt
theopolis
10/04/2020, 8:33 PM
@Prateek Kumar Nischal here is a fix https://github.com/osquery/osquery/pull/6694
👍 1
p
Prateek Kumar Nischal
10/04/2020, 8:36 PMPS: I came across this while trying to see if the “category” label can be attached in the process_file_events table.
Right now, I am not able to get process_file_events to emit any event.. I can see the fim debug logs with the files being recorded but it’s not coming up in the osquery logs
t
theopolis
10/04/2020, 8:49 PM
This is a newish change, but of course would be present in 4.5.0
p
Prateek Kumar Nischal
10/04/2020, 9:02 PMhas this been added in the 4.5.0 😬 ? I don’t see it in the table descriptions.
Prateek Kumar Nischal
10/04/2020, 9:04 PMI have kind of implemented it.. but somehow I am not able to get process_file_events to emit any event.. even with 4.4.0 as control.. maybe I have messed something up with my config.
Prateek Kumar Nischal
10/04/2020, 9:24 PMJust in case: https://paste.ubuntu.com/p/JdbwTPzvCy/
Copy code
--disable_audit=false
--allow_unsafe
--audit_allow_config
--audit_allow_fim_events=true
--events_max=10000
--audit_backlog_limit=10000
--audit_backlog_wait_time=60000
--audit_persistPrateek Kumar Nischal
10/04/2020, 9:26 PMin the audit_fim_debug mode I see
Copy code
Type: Close ProcessID: 26465 ImagePath: /bin/bash Data: Close /etc/a.conf StateChange: True
Type: Write ProcessID: 26465 ImagePath: /bin/bash Data: Write /etc/a.conf StateChange: True
Type: Open ProcessID: 26465 ImagePath: /bin/bash Data: Open /etc/a.conf StateChange: True