Hi, is there a way to disable

file_events

while keeping

process_file_events

enabled. We plan to enable audit based FIM enabled while keeping inotify based FIM disabled? We want to reduce the resource consumption by reducing the inotify handles opened.

I’m curious if you measured the performance impact of both audit and inotify working together. Did you find it unacceptable?

I have ended up opening a PR for this: https://github.com/osquery/osquery/pull/6663 I think this problem is similar to the Windows publishers that were all getting implicitly enabled as soon as events were ON.

@theopolis I don't have data available to capture the impact. We want to prevent too many file handles being opened even when we are use audit based FIM. There is a chance that ulimit is hit if too many are being monitored even while using audit based FIM.

It's a draft/idea; it can be implemented in a different way. I'm asking for feedback here: https://osquery.slack.com/archives/C08VA3XQU/p1600866826003300