https://github.com/osquery/osquery logo
Join Slack
Powered by
THe doc for FIM provides some nice thoughts on tro...
# general
e
THe doc for FIM provides some nice thoughts on troubleshooting no entries for linux and macos but not much for windows. trying to set up FIM based on the docs and am not getting any entries into the ntfs_journal_events table: 🧵
conf file
Copy code
{
  "decorators": {
    "always": [
      "SELECT instance_id, region, availability_zone, local_ipv4, account_id FROM ec2_instance_metadata;"
    ],
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },
  "file_paths": {
    "c": [
      "C:\\Program Files\\osquery\\logs\\%"
    ]
  },
  "options": {
    "disable_logging": "false",
    "disable_tables": "",
    "host_identifier": "hostname",
    "verbose": "true"
  },
  "schedules": {
    "file_events": {
      "interval": 300,
      "query": "SELECT * FROM ntfs_journal_events;"
    }
  }
}
boot flags
Copy code
--disable_events=false
--enable_ntfs_event_publisher=true
only thing interesting from verbose mode is an informational message i've seen floating around. happens whenever i mess with files in a watched path.
Copy code
I1221 19:45:27.390025  2224 ntfs_event_publisher.cpp:544] FRN pathname lookup failed, trying parent: Failed to open the file in volume C:\. Error: The parameter is incorrect.
also here are enabled events:
Copy code
select * select * from osquery_events;
+--------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| name                     | publisher                | type       | subscriptions | events | refreshes | active |
+--------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| WindowsEventLogPublisher | WindowsEventLogPublisher | publisher  | 0             | 0      | 0         | 1      |
| ntfs_event_publisher     | ntfs_event_publisher     | publisher  | 1             | 0      | 5         | 1      |
| ntfs_journal_events      | ntfs_event_publisher     | subscriber | 1             | 0      | 0         | 1      |
| powershell_events        | WindowsEventLogPublisher | subscriber | 0             | 0      | 0         | 0      |
| windows_events           | WindowsEventLogPublisher | subscriber | 0             | 0      | 0         | 0      |
+--------------------------+--------------------------+------------+---------------+--------+-----------+--------+
n
hi @Eric G were you successful in implementing this. ? I too have a similar problem of FIM not working on Windows using ntfs journal events!
Open in Slack
PreviousNext
Powered by