OSQuery: Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration

Question

OSQuery: Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration

59 views Asked by tarlan aliyev At 12 February 2024 at 10:05

osquery.conf file:

{
  // Configure the daemon below:
  "options": {

    "event_publisher": "etw_process_publisher",
    "enable_ntfs_event_publisher": true
    
  },

  "schedule": {
    "chrome_extensions": {
      "query": "SELECT * from users;",
      "interval": 3600
    }
  }
   
}

when i run osqueryd.exe --config_path="C:\Program Files\osquery\osquery.conf", i got the following error: I0212 13:55:33.071751 8240 eventfactory.cpp:156] Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration.

How can i solve it?

Original Q&A

There are 1 answers

**seph** · Answer 1 · 2024-02-12T13:05:42+00:00

I can't spin up a windows machine to test, but you probably need:

    "disable_events": false

You probably also need to configure some file_paths

Take a look at https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ and https://blog.trailofbits.com/2020/03/16/real-time-file-monitoring-on-windows-with-osquery/

TechQA.

OSQuery: Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration

There are 1 answers

Related Questions in OSQUERY

Popular Questions

Popular Tags

Trending Questions