or do you only enable a subset of audit events for things yo osquery #general

or do you only enable a subset of audit events for...

Zach Zeid

05/11/2020, 4:31 PM

or do you only enable a subset of audit events for things you truly care about (e.g.

process_event

)

clong

05/11/2020, 8:36 PM

it really depends on how busy the host will be and how many syscalls will be generated

clong

05/11/2020, 8:36 PM

and obviously the hardware specs of the host

Zach Zeid

05/11/2020, 8:37 PM

Is there a way I can understand the perf impact of enabling these?

6 Views