Hi All, Also looking for some help. Trying to get FIM working and have followed the documentation but can't get it to work. osquery.conf - https://pastebin.com/0rSc8fvw My guess is the error is here Subscriber disabled via configuration but not sure what I'm missing in the above conf to enable it

[root@primary osquery]# osqueryi "SELECT * FROM file_events;"
I0715 10:41:40.372663 18293 options.cpp:100] Verbose logging enabled by config option
W0715 10:41:40.372741 18293 options.cpp:91] Cannot set unknown or invalid flag: enable_monitor
I0715 10:41:40.507570 18293 smbios_tables.cpp:104] Reading SMBIOS from sysfs DMI node
I0715 10:41:40.508178 18293 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 10:41:40.509068 18293 events.cpp:1122] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0715 10:41:40.509141 18293 events.cpp:1122] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0715 10:41:40.509174 18293 events.cpp:1122] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0715 10:41:40.513377 18293 file_events.cpp:82] Added file event listener to: /etc/**
I0715 10:41:40.513458 18293 file_events.cpp:82] Added file event listener to: /root/.ssh/**
I0715 10:41:40.513478 18293 file_events.cpp:82] Added file event listener to: /home/*/.ssh/**
I0715 10:41:40.513536 18293 file_events.cpp:82] Added file event listener to: /tmp/**
W0715 10:41:40.526444 18293 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:41:40.548197 18293 dispatcher.cpp:77] Adding new service: AuditdNetlinkReader (0x275c6d8) to thread: 140344453695232 (0x26cc720) in process 18293
I0715 10:41:40.548367 18293 dispatcher.cpp:77] Adding new service: AuditdNetlinkParser (0x26a3448) to thread: 140344445302528 (0x26c95c0) in process 18293
I0715 10:41:40.548961 18294 auditdnetlink.cpp:623] Failed to set the netlink owner
W0715 10:41:40.560115 18293 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:41:40.565127 18296 events.cpp:784] Starting event publisher run loop: auditeventpublisher
I0715 10:41:40.565162 18297 events.cpp:784] Starting event publisher run loop: inotify
I0715 10:41:40.565232 18298 events.cpp:784] Starting event publisher run loop: udev
I0715 10:41:40.565570 18293 dispatcher.cpp:148] Thread: 140344499352960 requesting a stop
I0715 10:41:40.565644 18293 dispatcher.cpp:155] Service: 0x275c6d8 has been interrupted
I0715 10:41:40.565670 18293 dispatcher.cpp:155] Service: 0x26a3448 has been interrupted
I0715 10:41:40.565703 18293 dispatcher.cpp:121] Thread: 140344499352960 requesting a join
I0715 10:41:41.548689 18293 dispatcher.cpp:139] Service thread: 0x26c95c0 has joined

You need to use --disable_events=false with osqueryi

right so the contents of osquery.conf have no impact?

Try setting

--config_path

Still the same sadly

[root@primary osquery]# osqueryi --disable_events=false --config_path=/etc/osquery/osquery.conf  "SELECT * FROM file_events;"
I0715 10:52:12.450359 31039 options.cpp:100] Verbose logging enabled by config option
W0715 10:52:12.450438 31039 options.cpp:91] Cannot set unknown or invalid flag: enable_monitor
I0715 10:52:12.483848 31039 smbios_tables.cpp:104] Reading SMBIOS from sysfs DMI node
I0715 10:52:12.484429 31039 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 10:52:12.484817 31039 events.cpp:1122] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0715 10:52:12.484874 31039 events.cpp:1122] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0715 10:52:12.484946 31039 events.cpp:1122] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0715 10:52:12.489053 31039 file_events.cpp:82] Added file event listener to: /etc/**
I0715 10:52:12.489159 31039 file_events.cpp:82] Added file event listener to: /root/.ssh/**
I0715 10:52:12.489202 31039 file_events.cpp:82] Added file event listener to: /home/*/.ssh/**
I0715 10:52:12.489254 31039 file_events.cpp:82] Added file event listener to: /tmp/**
W0715 10:52:12.499797 31039 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:52:12.520748 31039 dispatcher.cpp:77] Adding new service: AuditdNetlinkReader (0x28497d8) to thread: 140124636026624 (0x27b9820) in process 31039
I0715 10:52:12.520918 31039 dispatcher.cpp:77] Adding new service: AuditdNetlinkParser (0x2790548) to thread: 140124627633920 (0x27b66c0) in process 31039
I0715 10:52:12.520982 31040 auditdnetlink.cpp:623] Failed to set the netlink owner
W0715 10:52:12.531678 31039 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:52:12.536615 31042 events.cpp:784] Starting event publisher run loop: auditeventpublisher
I0715 10:52:12.536659 31043 events.cpp:784] Starting event publisher run loop: inotify
I0715 10:52:12.536759 31044 events.cpp:784] Starting event publisher run loop: udev
I0715 10:52:12.536909 31039 dispatcher.cpp:148] Thread: 140124681684352 requesting a stop
I0715 10:52:12.536986 31039 dispatcher.cpp:155] Service: 0x28497d8 has been interrupted
I0715 10:52:12.537045 31039 dispatcher.cpp:155] Service: 0x2790548 has been interrupted
I0715 10:52:12.537103 31039 dispatcher.cpp:121] Thread: 140124681684352 requesting a join
I0715 10:52:13.521181 31039 dispatcher.cpp:139] Service thread: 0x27b66c0 has joined

Oh yeah, the problem is that no events are being generated while you are running osqueryi

That makes sense. I've also got that query running in a pack via the daemon so they would hopefully pick it up. Just this error was throwing me off making me think I'd missed something.

Error registering subscriber: process_file_events: Subscriber disabled via configuration

Yeah that's a different subscriber than

file_events

. You should get it via

osqueryd

if you are using the same config.

gotcha thanks... I'll keep plugging away at it then and ignore those 🙂

We need to document

process_file_events

better 🙂 the purpose of this table is to record file events and the PID responsible. But it is unclear how to make this work in the osquery documentation.