Hello folks.
I have been trying to find the cause...
# fimg
Gray Cat
04/19/2021, 8:34 PMHello folks.
I have been trying to find the cause of a weird bug but failed to do so...
My osqueryd suddenly stopped logging FIM DELETE events. If I create a file, modify it, and then delete it, I will have all file change events except "DELETE". Does anyone have ideas on the cause of this? Thanks in advance!
t
theopolis
04/19/2021, 8:50 PM
Can you share details about how to reproduce the situation?
What version of osquery, what is your configuration, what operating system?
How are you triggering the expected behavior?
g
Gray Cat
04/19/2021, 9:29 PMThanks for your response 🙏
This is more like a weird behavior that happens all the sudden. I'm currently using v.3.2.4, and it was recording deleted events perfectly.
OS: Amazon Linux AMI release 2018.03.
Config:
Copy code
1 {
2 "options": {
3 "config_plugin": "filesystem",
4 "logger_plugin": "filesystem",
5 "logger_path": "/mnt/logs/osquery",
6 "pidfile": "/etc/osquery/osquery.pidfile",
7 "disable_events": "false"
8 },
9 "schedule": {
10 "file_events": {
11 "query": "SELECT fe.*, u.username FROM file_events fe JOIN users u on fe.uid=u.uid
12 "interval": 10
13 }
14 },
15 "file_paths": {
16 "file_list": ["~/{user home directory}/%"]Gray Cat
04/19/2021, 11:43 PMForgot to add... The way I triggered it was to add a file and then remove it by
rm -f {file}Gray Cat
04/19/2021, 11:43 PMThe file was place under a monitored path.
Gray Cat
04/20/2021, 5:37 AMAh. I found the cause of it... UID is blank for delete events.
5 Views