Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
sean.cavanaugh
10/28/2019, 10:05 PMI was curious to why the process_events table has a field for auid but the processes table doesn't. Anyone have some insight?
f
ForensicITGuy
11/01/2019, 12:34 PMThe processes table parses the /proc filesystem like ps does to enum the processes. The eventing table listens to events from the kernel audit subsystem like auditd does.
s
sean.cavanaugh
11/01/2019, 2:34 PMAwesome, thank you Tony