Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
Mustafa
04/27/2018, 11:38 AMis Osquery able to read a file content and send them as logs?
t
theopolis
04/27/2018, 12:38 PMNope, we sort of resist doing this. If there’s a single file you believe everyone in the world should read and report on we can morph that content into a virtual table.
z
zwass
04/27/2018, 4:07 PMDoesn't the file carver do this?
m
Mustafa
04/28/2018, 12:48 PMi would be glad if you give some information about file carver. is it related to carves table?
o
obelisk
04/30/2018, 4:01 PMThe file carver can do this but it is slightly more complicated to set up. @theopolis is right that we resist doing this so easily in virtual tables.
Carver is disabled by default and requires configuration to setup (so that you still get safety by default). I have a blog post here: http://www.metalliccode.com/carving/ that covers the basics of configuring carver.
👍 1
Also if you need this feature in someway and cannot configure carver with your infra, yo could build an extension table to do it for you.