0

i was sucesful to capture file activites with file_events. But could not make the process_file_events work properly. After some file activities in monitored directory could not see any event coming to my plugin. For same plugin with same conf file the file_events are fetched successfully.

the conf file is modified to contain process_file_events instead of file_events.

Following is the flags file..:

--disable_extensions=false
--disable_events=false
--disable_audit=false
--enable_file_events=true
--audit_allow_config=true
--audit_allow_process_events=true
--audit_allow_fim_events=true
--logger_plugin=LogrPlugin
--extensions_timeout=10
--extensions_interval=5
--extensions_require=ExtensnMgr

is the flags file correct? and any other difference to made between file_events (which was working) and process_file_events?

Baab
  • 179
  • 6
  • Update: Could get 1 file event. Thereafter seeing following error: "The Audit publisher has throttled reading records from Netlink for 8.5 seconds. Some events may have been lost." How to handle this scenario? – Baab Feb 10 '23 at 11:02
  • I wanted to check whether anyone has seen this problem of "The Audit publisher has throttled reading records from Netlink for 8.5 seconds. Some events may have been lost." And how to solve this? – Baab Feb 15 '23 at 05:55

0 Answers0