Hi, I am running osquery 5.2.2 on Debian10 and I d...
# fim
Hi, I am running osquery 5.2.2 on Debian10 and I don't see records in the file_events table. When running in verbose mode, I see messages like "Failed to set the netlink owner", which according to readthedocs can be due to auditd, but I don't have this running. Same config works on CentOS7. Any idea what am I missing?
file_events should be using inotify, so the netlink error is unrelated
You could try to look at the logs to make sure SELinux is not blocking osquery
I don't think the logs will work without auditd though
Thanks, I will try with auditd
there is no warning from apparmor
What is the output of
Additional note: if those systems have been upgraded from an older version of osquery, the configuration should now include a flag to enable file_events. It was previously not needed, but was causing conflicts with Audit
I don't have selinux on the debian machine
Copy code
cat >> /etc/osquery/osquery.flags << EOF

cat >> /etc/osquery/osquery.conf << EOF
    "options": {
        "config_plugin": "filesystem",
        "logger_plugin": "filesystem",
        "logger_path": "/var/log/osquery",
        "disable_logging": "false",
        "schedule_splay_percent": "10",
        "pidfile": "/var/osquery/osquery.pidfile",
        "events_expiry": "3600",
        "database_path": "/var/osquery/osquery.db",
        "verbose": "false",
        "worker_threads": "2",
        "disable_events": "false",
        "enable_bpf_events": "true",
        "enable_file_events": "true",
        "disable_audit": "false",
        "audit_allow_config": "true",
        "host_identifier": "hakase-labs",
        "enable_syslog": "true",
        "syslog_pipe_path": "/var/osquery/syslog_pipe",
        "force": "true",
        "audit_allow_sockets": "true",
        "schedule_default_interval": "3600"

    "schedule": {
        "crontab": {
            "query": "SELECT * FROM crontab;",
            "interval": 300
        "system_info": {
            "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
            "interval": 3600
        "ssh_login": {
            "query": "SELECT username, time, host FROM last WHERE type=7",
            "interval": 360

    "decorators": {
        "load": [
            "SELECT uuid AS host_uuid FROM system_info;",
            "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"

    "packs": {
        "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
        "fim": "/usr/share/osquery/packs/fim.conf"


cat >> /usr/share/osquery/packs/fim.conf << EOF
  "queries": {
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 10
  "file_paths": {
    "homes": [
      "etc": [
      "tmp": [
      "www": [
that's the code I am using, with small change of the path of fim.conf (/usr/share is on centos, /opt/osquery on debian)
I see the file is being read when I run with --verbose (it says /etc/%% is being watched)
but when I do "useradd test", there is no entry in file_events table
so I managed to make events appear in file_events table, but there are no records in the logs..