theopolis
06/20/2017, 10:11 PM/etc/osquery/osquery.flags
or /etc/osquery/osquery.flags.default
with a --nodisable_events
or --disable_events=false
will enable the event publishers for the shell. A config could also turn them on, --config_dump
will write the config JSON. Next, why are the events failing? Those are all pipe
-based to some API that is privileged on the OS, so you could be running as a restricted user, or have cgroups limiting the binary's permissions?cc
08/31/2018, 9:09 PMauditd
running on my centos7 server as well, which steals all the events need to be sent to osquery. After I disabled auditd
, everything works properly. I know this is old, but still wanna leave a message here in case anybody else has the same issue.