https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello, I'm trying to understand how the FIM works ...
# fim
d
Hello, I'm trying to understand how the FIM works on windows. How works the journal cache on windows? Are the files cached only at the start? Let's say I'm watching 
C:\Users\vagrant\Documents\%
, and no file exists at the moment osquery starts. If I create a file named 
test.txt
and a few minutes later I delete that file, Will I get an event? What if I also watch the folder and the folder exists previously? What if I also watch the folder and the folder does not exists previously?
m
@yossarian I know it has been a long time but would you recall answers to any of these questions?
y
the files should not be cached only at the start; the cache is continually updated based on events
i.e. if you monitor a directory and create a new file within it after starting osquery, it should catch it
ty 1
d
@yossarian thank you!!!
After some tests, I think we have a bug of some kind around this. I've opened an issue: https://github.com/osquery/osquery/issues/7642 If I misunderstood how it should work, feel free to close it directly.
13 Views
Open in Slack
PreviousNext
Powered by