Hi is there a way to disable `file events` while keeping `pr

Question

Hi is there a way to disable `file events` while keeping `process file events` enabled We plan to enable audit based FIM enabled while keeping inotify based FIM disabled We want to reduce the resource consumption by reducing the inotify handles opened

theopolis · Answer

I m curious if you measured the performance impact of both audit and inotify working together Did you find it unacceptable

alessandrogario · Answer

I have ended up opening a PR for this <https github com osquery osquery pull 6663> I think this problem is similar to the Windows publishers that were all getting implicitly enabled as soon as events were ON

Prasoon Dwivedi · Answer

< theopolis> I don t have data available to capture the impact We want to prevent too many file handles being opened even when we are use audit based FIM There is a chance that ulimit is hit if too many are being monitored even while using audit based FIM

Prasoon Dwivedi · Answer

< alessandrogario> thanks for the PR

alessandrogario · Answer

It s a draft idea it can be implemented in a different way I m asking for feedback here <https osquery slack com archives C08VA3XQU p1600866826003300>