Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
x
xiaoliuzi
04/30/2020, 6:07 AMosquery> select * from ntfs_journal_events WHERE action = "FileWrite";
W0430 14:07:10.305126 17384 virtual_table.cpp:967] Table ntfs_journal_events is event-based but events are disabled
W0430 14:07:10.305126 17384 virtual_table.cpp:974] Please see the table documentation: https://osquery.io/schema/#ntfs_journal_events
s
SK
04/30/2020, 6:15 AMHey @xiaoliuzi, probably you must set the '--disable-events=false' flag to make it work as given in the link below. https://osquery.readthedocs.io/en/stable/introduction/using-osqueryi/
x
xiaoliuzi
04/30/2020, 6:23 AMAll keyword values are -1 like this;
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1 |
| -1
s
SK
04/30/2020, 6:36 AMProbably this can give you some direction: https://dactiv.llc/blog/new-in-osquery-4.2/#ntfs_journal_events
This is a new feature that I did not try yet.