When running scheduled queries from packs the results are as if i am running the queries in snapshot mode i am not able to capture differentials from queries coming from pack files. I am not sure if this is a bug or a feature.
for example in my osquery.conffile i basically have
"schedule": {
"processes": {
"query": "SELECT * FROM processes;",
"interval": 60,
"removed": false
}},
"packs": {
"packname": "C:\\Program Files\\osquery\\packs\\test_processes.conf"
}
the pack file contains the same query. The scheduled processes query runs OK, it is in differential mode and i am not flooded with process logs. The problem is with the packs that seem not being able to run in differential mode. Every 1 minute i get the same process events being added to osquery logs
osquery.flags:
--logger_plugin=filesystem
--logger_path=C:\myproject\Data\LogFiles\osquery
--enable_powershell_events_subscriber=true
--logger_rotate=true
--logger_rotate_size=20971520
--logger_rotate_max_files=10
does the --logger_plugin=filesystem not work with packs ?
