I seem to be having an issue with osquery not logging file events. I have been trying to troubleshoot but cannot get it to log when a file is changed etc. I believe this was working at one point but I cannot get it to work even with test configs etc. Below is one of those test. Any help appriciated { "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "pidfile": "/var/osquery/osquery.pidfile" }, "schedule": { "file_events": { "query": "select * from file_events;", "interval": 30 } }, "file_paths": { "passwd": [ "/etc/%%", "/etc/passwd" ] } } sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf I0526 211859.643483 30409 init.cpp:357] osquery initialized [version=5.2.3] I0526 211859.675431 30409 system.cpp:354] Found stale process for osqueryd (29798) I0526 211859.675503 30409 system.cpp:386] Writing osqueryd pid (30409) to /var/run/osqueryd.pidfile I0526 211859.675586 30409 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load I0526 211859.675666 30409 dispatcher.cpp:78] Adding new service: WatcherRunner (0x561f42763bd8) to thread: 140531558029056 (0x561f42765ce0) in process 30409 I0526 211859.676618 30410 watcher.cpp:656] osqueryd watcher (30409) executing worker (30411) I0526 211859.682361 30411 init.cpp:354] osquery worker initialized [watcher=30409] I0526 211859.682494 30411 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x561bbfe0c098) to thread: 139669029955328 (0x561bbfe27380) in process 30411 I0526 211859.682576 30411 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db I0526 211859.731186 30411 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x561bbff2ea98) to thread: 139668351862528 (0x561bbfed2970) in process 30411 I0526 211859.731283 30411 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x561bbfe73128) to thread: 139668360255232 (0x561bbfe276f0) in process 30411 I0526 211859.731369 30411 auto_constructed_tables.cpp:99] Removing stale ATC entries I0526 211859.731971 30411 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration I0526 211859.732100 30411 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration I0526 211859.732131 30411 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration I0526 211859.732157 30411 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration I0526 211859.732272 30411 events.cpp:70] Skipping subscriber: apparmor_events: Subscriber disabled via configuration I0526 211859.732404 30411 events.cpp:70] Skipping subscriber: process_file_events: Subscriber disabled via configuration I0526 211859.732456 30411 events.cpp:70] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration I0526 211859.732527 30411 events.cpp:70] Skipping subscriber: selinux_events: Subscriber disabled via configuration I0526 211859.732599 30411 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration I0526 211859.734840 30524 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em I0526 211859.760321 30411 file_events.cpp:87] Added file event listener to: /etc/** I0526 211859.760396 30411 file_events.cpp:87] Added file event listener to: /etc/passwd I0526 211859.786321 30411 main.cpp:104] Not starting the distributed query service: Distributed query service not enabled. I0526 211859.786425 30411 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x561bc0039928) to thread: 139668771301120 (0x561bc0075b10) in process 30411 I0526 211859.786356 30525 eventfactory.cpp:390] Starting event publisher run loop: udev I0526 211912.788693 30526 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; I0526 211912.790205 30526 query.cpp:110] Scheduled query has been updated: file_events I0526 211941.794340 30526 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; I0526 212010.799435 30526 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; ^Z [1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf [ec2-user@ip-10-0-241-143 etc]$ sudo touch /etc/passwd [ec2-user@ip-10-0-241-143 etc]$ fg sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf I0526 212053.033473 30526 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; I0526 212122.039810 30526 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; ^Z [1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf [ec2-user@ip-10-0-241-143 etc]$ sudo cat /var/log/osquery/osqueryd.results.log {"name":"crontab","hostIdentifier":"ip-10-0-241-143.us-east-2.compute.internal","calendarTime":"Mon May 16 190720 2022 UTC","unixTime":1652728040,"epoch":0,"counter":0,"numerics":false,"columns":{"command":"root run-parts /etc/cron.hourly","day_of_month":"*","day_of_week":"*","event":"","hour":"*","minute":"01","month":"*","path":"/etc/cron.d/0hourly"},"action":"added"} {"name":"crontab","hostIdentifier":"ip-10-0-241-143.us-east-2.compute.internal","calendarTime":"Mon May 16 190720 2022 UTC","unixTime":1652728040,"epoch":0,"counter":0,"numerics":false,"columns":{"command":"root /opt/elasticbeanstalk/bin/publishlogs -type publish","day_of_month":"*","day_of_week":"*","event":"","hour":"*","minute":"10,30,50","month":"*","path":"/etc/cron.d/publishlogs"},"action":"added"} {"name":"crontab","hostIdentifier":"ip-10-0-241-143.us-east-2.compute.internal","calendarTime":"Mon May 16 190720 2022 UTC","unixTime":1652728040,"epoch":0,"counter":0,"numerics":false,"columns":{"command":"root /usr/sbin/raid-check","day_of_month":"*","day_of_week":"Sun","event":"","hour":"1","minute":"0","month":"*","path":"/etc/cron.d/raid-check"},"action":"added"} {"name":"crontab","hostIdentifier":"ip-10-0-241-143.us-east-2.compute.internal","calendarTime":"Mon May 16 190720 2022 UTC","unixTime":1652728040,"epoch":0,"counter":0,"numerics":false,"columns":{"command":"root /usr/lib64/sa/sa1 1 1","day_of_month":"*","day_of_week":"*","event":"","hour":"*","minute":"*/10","month":"*","path":"/etc/cron.d/sysstat"},"action":"added"} {"name":"crontab","hostIdentifier":"ip-10-0-241-143.us-east-2.compute.internal","calendarTime":"Mon May 16 190720 2022 UTC","unixTime":1652728040,"epoch":0,"counter":0,"numerics":false,"columns":{"command":"root /usr/lib64/sa/sa2 -A","day_of_month":"*","day_of_week":"*","event":"","hour":"23","minute":"53","month":"*","path":"/etc/cron.d/sysstat"},"action":"added"} {"name":"crontab","hostIdentifier":"ip-10-0-241-143.us-east-2.compute.internal","calendarTime":"Mon May 16 190720 2022 UTC","unixTime":1652728040,"epoch":0,"counter":0,"numerics":false,"columns":{"command":"root /usr/bin/systemctl --quiet restart update-motd","day_of_month":"","day_of_week":"","event":"@daily","hour":"","minute":"","month":"","path":"/etc/cron.d/update-motd"},"action":"added"} [ec2-user@ip-10-0-241-143 etc]$

Hi Jason, might be easier to read if you use code blocks - three backticks.

code here