Ben
01/21/2021, 3:43 AMfile_accesses
in my config. What else could I be forgetting?--disable_extensions
--disable_events=false
--enable_file_events=true
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
{
"file_paths": {
"tmp": [
"/tmp/%%"
]
},
"exclude_paths": {
"tmp": [
"/tmp/do_not_monitor1/"
]
},
"file_accesses": [
"tmp"
]
}
CREATED
, ATTRIBUTES_MODIFIED
, and DELETED
events for files in /tmp, but no access events.allister
01/21/2021, 4:34 AMBen
01/21/2021, 5:54 AMtheopolis
01/21/2021, 2:11 PMprocess_file_events
, the file_events
table is populated through FSEvents. Let me look at the code quickly and try to guess why the accesses is not working for you.Ben
01/21/2021, 6:07 PMprocess_file_events
, but primarily would like to get file_events
with accesses working first.