THe doc for FIM provides some nice thoughts on troubleshooti

Question

THe doc for FIM provides some nice thoughts on troubleshooting no entries for linux and macos but not much for windows trying to set up FIM based on the docs and am not getting any entries into the ntfs journal events table thread

Eric G · Answer

conf file ``` decorators always SELECT instance id region availability zone local ipv4 account id FROM ec2 instance metadata load SELECT uuid AS host uuid FROM system info SELECT user AS username FROM logged in users ORDER BY time DESC LIMIT 1 file paths c C Program Files osquery logs options disable logging false disable tables host identifier hostname verbose true schedules file events interval 300 query SELECT FROM ntfs journal events ```

Eric G · Answer

boot flags ``` disable events=false enable ntfs event publisher=true```

Eric G · Answer

only thing interesting from verbose mode is an informational message i ve seen floating around happens whenever i mess with files in a watched path ```I1221 19 45 27 390025 2224 ntfs event publisher cpp 544 FRN pathname lookup failed trying parent Failed to open the file in volume C Error The parameter is incorrect ```

Eric G · Answer

also here are enabled events ```select select from osquery events + + + + + + + + | name | publisher | type | subscriptions | events | refreshes | active | + + + + + + + + | WindowsEventLogPublisher | WindowsEventLogPublisher | publisher | 0 | 0 | 0 | 1 | | ntfs event publisher | ntfs event publisher | publisher | 1 | 0 | 5 | 1 | | ntfs journal events | ntfs event publisher | subscriber | 1 | 0 | 0 | 1 | | powershell events | WindowsEventLogPublisher | subscriber | 0 | 0 | 0 | 0 | | windows events | WindowsEventLogPublisher | subscriber | 0 | 0 | 0 | 0 | + + + + + + + +```

Naveen · Answer

hi < Eric G> were you successful in implementing this I too have a similar problem of FIM not working on Windows using ntfs journal events