Channels
  • j

    JohnM

    1 year ago
    Hello all. I am new here and wanted to say hi. I have a question about osquery regarding alerting and logging. Who would be the best person to ask these to? Thank you!
    I want to alert on whenever log have been deleted without getting a verbose log every time it changes, as this is what I was getting when I add /var/log to my fim pack and was filing up whenever a system process changed a file. If anyone has any suggestion that would be helpful, thanks.
  • Ian Muscat

    Ian Muscat

    1 year ago
    Would something like this work?
    SELECT * FROM file_events WHERE target_path LIKE "/var/log/%%" AND action = "DELETED"
  • j

    JohnM

    1 year ago
    Great, thanks! I have added this and unfortunately it is not picking up my test when I add a file to /var/log/ then delete it. Nothing in "systemctl status osqueryd -l" that provides detail of why it isn't working. Any clues? Thank you.