-
-
Save W00t3k/25fbf2b251190181b35181f4f0d9b59a to your computer and use it in GitHub Desktop.
fswatch and osquery command syntax w/ output
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fswatch command | |
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/ | |
Output when event is triggered | |
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}' | |
osquery.results.log output from event. | |
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment