Even though we can disable subscribers through config. I am assuming we still need to add the flags for individual subscribers and bail out without subscribing accordingly. If one requests to disable specific subscriber. Something like this.

--enable_sysmon_events_publisher=false
--enable_sysmon_process_create_events_subscriber=false

The default state of a subscriber via config ("disable->subscribers") is enabled. When the corresponding publisher is enabled, a vanilla config would require the user to specifically mention the subscribers it wishes to disable of all the possible subscribers.

{
  "events": {
    "disable_subscribers": [
            "sysmon_driver_loaded_events",
            "sysmon_file_created_events",
            "sysmon_image_load_events",
            "sysmon_network_connection_events",
            "sysmon_pipe_connected_events",
            "sysmon_pipe_created_events",
            "sysmon_process_accessed_events",
            "sysmon_process_create_events",
            "sysmon_process_tampering_events",
            "sysmon_process_terminate_events",
            "sysmon_remote_thread_events",
     ]
  }
}

Whereas the default state of a subscriber would be disabled (default), when done via flags (osquery.flags). In this case the vanilla config wouldn't need to describe anything about subscribers. Unless the user wishes to turn specific subscribers on (this is opposite to what the config way is). Also this seems to be similar theme in the current implementation. So circling back for thoughts again ? 🙂