Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
e
Eric G
12/21/2022, 7:43 PMTHe doc for FIM provides some nice thoughts on troubleshooting no entries for linux and macos but not much for windows. trying to set up FIM based on the docs and am not getting any entries into the ntfs_journal_events table: 🧵
conf file
{
"decorators": {
"always": [
"SELECT instance_id, region, availability_zone, local_ipv4, account_id FROM ec2_instance_metadata;"
],
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"file_paths": {
"c": [
"C:\\Program Files\\osquery\\logs\\%"
]
},
"options": {
"disable_logging": "false",
"disable_tables": "",
"host_identifier": "hostname",
"verbose": "true"
},
"schedules": {
"file_events": {
"interval": 300,
"query": "SELECT * FROM ntfs_journal_events;"
}
}
}boot flags
--disable_events=false
--enable_ntfs_event_publisher=trueonly thing interesting from verbose mode is an informational message i've seen floating around. happens whenever i mess with files in a watched path.
I1221 19:45:27.390025 2224 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect.also here are enabled events:
select * select * from osquery_events;
+--------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| name | publisher | type | subscriptions | events | refreshes | active |
+--------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| WindowsEventLogPublisher | WindowsEventLogPublisher | publisher | 0 | 0 | 0 | 1 |
| ntfs_event_publisher | ntfs_event_publisher | publisher | 1 | 0 | 5 | 1 |
| ntfs_journal_events | ntfs_event_publisher | subscriber | 1 | 0 | 0 | 1 |
| powershell_events | WindowsEventLogPublisher | subscriber | 0 | 0 | 0 | 0 |
| windows_events | WindowsEventLogPublisher | subscriber | 0 | 0 | 0 | 0 |
+--------------------------+--------------------------+------------+---------------+--------+-----------+--------+n
Naveen
05/24/2023, 6:57 AMhi @Eric G were you successful in implementing this. ? I too have a similar problem of FIM not working on Windows using ntfs journal events!