Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
k
Karthick
10/20/2022, 1:44 AMAm looking for a way to enable process_file_events table in Linux environment, I was able to enable file_events using command line osquery.flags. Osquery is configured via fleetdm
i have below config to enable process_file_events in osquery.flags
--disable_events=false
--disable_audit=false
--enable_file_events=true
--audit_allow_config=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_persist=true
can you give me points what am i missing
k
Keith Swagler
10/20/2022, 1:16 PMDo you also have file_paths configured in Fleet ? OSQuery has an example one, if you are using Fleet for config you will have to convert to YAML
k
Karthick
10/20/2022, 1:19 PMYes it is configured and file_events table is able to pick the paths
k
Keith Swagler
10/20/2022, 1:28 PMwhat Kernel version are you on ?
k
Karthick
10/27/2022, 8:16 AM3.10.0-1160.53.1.el7.x86_64
kernel version we have
disabling audit service resulted in process_file_events output