Hello,
I would like to know how to enable the FIM using the agent and the integration of osquery manager, I have set up some configuration according to the documentation of osquery for windows, however it refuses to work, this is my config:
and this to the integration configuration:
{
"options": {
"disable_events": false,
"enable_ntfs_event_publisher": true
},
"packs": {}
}
this log might indicate that the configuration is enable however the schedule query return nothing after a while and some change made to the target path:
{"log.level":"info","@timestamp":"2024-10-21T15:01:51.912Z","message":"The minimum events expiration timeout for ntfs_journal_events has been adjusted: 10860","component":{"binary":"osquerybeat","dataset":"elastic_agent.osquerybeat","id":"osquery-default","type":"osquery"},"log":{"source":"osquery-default"},"log.origin":{"file.line":84,"file.name":"beater/logger_plugin.go"},"osquery.filename":"eventfactory.cpp","osquery.cal_time":"Mon Oct 21 15:01:50 2024 UTC","ecs.version":"1.6.0","log.logger":"osquerybeat","osquery.log_type":"status","osquery.severity":0,"osquery.time":1729522910,"service.name":"osquerybeat","ctx":"logger","osquery.line":352,"ecs.version":"1.6.0"}