Hello Team we have been using Osquery for the last few months, and we really like it, we appreciate your hard work, thank you we have been trying to solve a persistent issue: version we have: 2.10.2-1 on Centos

We can't seem to find a happy place where we can exclude specific directories/files and get a guaranteed output of events to be logged based on the 120 second interval setup in the FIM conf.
We have a lot of very active and/or large files (10+GB) coming in and out and OSquery seems to be lagging when trying to analyze the files at service start.  The behavior we are seeing is that the FIM query never gets executed or will not be reliable as to when it may report back.

Please let me know if there is a better way to report this type of stuff Ill be happy to go deep in details if needed

There has also been some discussion in #fim around this: https://osquery.slack.com/archives/C0L70NC1W/p1525956610000499

@clong thank you for your input really appreciate it, I will give it a read, and see if these helps us with he reporting

No prob! This may also be relevant: https://github.com/facebook/osquery/issues/1142 Haven’t read too much into your specific issue, but i’ve seen a handful of posts from folks asking about FIM exlcusions

I hope enough noice can help improve fim its so useful. it so weird that it tries to do an initial inventory of all the files even before running the packs (FIM) and chokes with large files Ill keep digging thank you for the pointers !