process_file_events

Process file events (open and close) from kernel extension.

Table schema

Name Type Description
action TEXT The action taken on the file (OPEN, CLOSED, or CLOSED_MODIFIED)
pid BIGINT Process ID of the process using the file
path TEXT Path of file
parent BIGINT Parent process ID of the process using the file
uid BIGINT Real user ID of the user process using the file
euid BIGINT Effective user ID of the process using the file
gid BIGINT Real group ID of the process using the file
egid BIGINT Effective group ID of the processs using the file
mode BIGINT Indicates the mode of the file
owner_uid BIGINT User ID of the owner of the file
owner_gid BIGINT Group ID of the owner of the file
atime BIGINT Time of last access in UNIX epoch time
mtime BIGINT Time of last modification in UNIX epoch time
ctime BIGINT Time of last status change
time BIGINT Time of event in UNIX epoch time
uptime BIGINT Time of event in system uptime
eid TEXT Event ID