?The intent of this table is to watch for changes but that watch starts at the point you start osquery.
Stefano Bonicatti
1 year ago
Also, be sure to pass
--enable_file_events
if you're using osquery 4.6.0Originally the INotify based publisher was automatically active as soon as one enabled events, but now, like the other publishers, it has its own flag to enable that.
