<@UKBRAB1UL> that event will never be picked up un...
# general
@Prateek Kumar Nischal that event will never be picked up unless osquery is updated to parse it
You can start by updating the following files: osquery/tables/events/linux/process_events.cpp osquery/events/linux/process_events.h osquery/events/linux/auditdnetlink.cpp
It is mostly adding the
in the std::unorderd_sets and then enable handling of the event
Copy code
  - Add __NR_kill to kSyscallNameMap
  - Update the `else` case in `if (is_exec_syscall) {`

  - Add kKillProcessEventsSyscalls with __NR_kill

  Inside `if (FLAGS_audit_allow_process_events) {`

    for (int syscall : kKillProcessEventsSyscalls) {

Additional updates
 - Could be worth adding a `audit_allow_kill_process_events` flag
 - There are other kill syscalls that may be interesting to support
Then you may want to test it with
and see what happens
Awesome, thanks for the reply. I was guessing there wasn't an implementation for parsing the KILL syscall. But, I have one question, why weren;t there any events when there was 3 rules, execve, execveat and kill. From what I am guessing, if there aren't processors for kill, it should just have ignored those events and the
should anyways print those raw audit logs right..
And I will certainly try to contribute back 😄
@Prateek Kumar Nischal Did you parsed this syscall? @Lili fyi