I'm trying to capture fim events. I would prefer audit events over inotify but when I query process_file_events table, it doesn't return anything. But if I query file_events table, I get all the fim events. I;m using following flags: --disable_events=false --disable_audit=false --audit_allow_config=true --audit_persist=true --audit_allow_sockets --audit_allow_process_events=true --audit_allow_fim_events=true conf: "file_paths": { "fim": [ "/apps/osquery/fim/" ] } I've written a script which generates FIM events in directory '/app/osquery/fim' Am I missing something ? Any misconfiguration ? using osquery version: 3.2.6

Did you get it to work? I just tested on macOS at least and it was working for me.

hey, I was trying on amazon_linux VM (AWS) and wasn't able to make it work few days back. After that I didn't get time to try it on some other OS or my mac. Will give it a try and let you know. Thanks.