diff --git a/.buildkite/.pipeline.yml.swp b/.buildkite/.pipeline.yml.swp
new file mode 100644
index 0000000..d3dbf6d
Binary files /dev/null and b/.buildkite/.pipeline.yml.swp differ
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 1e15012..3af8158 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -220,9 +220,9 @@ steps:
       machineType: n2-standard-2
       enableNestedVirtualization: true
 
-  - label: "quark-test on rhel 8 (file creation broken)"
+  - label: "quark-test on rhel 8"
     key: test_rhel_8
-    command: "./.buildkite/runtest_distro.sh rhel 8 -x t_file"
+    command: "./.buildkite/runtest_distro.sh rhel 8"
     depends_on:
       - make_docker
     agents:
@@ -286,9 +286,9 @@ steps:
       machineType: n2-standard-2
       enableNestedVirtualization: true
 
-  - label: "quark-test on rhel 8.8 (file creation broken)"
+  - label: "quark-test on rhel 8.8"
     key: test_rhel_8_8
-    command: "./.buildkite/runtest_distro.sh rhel 8.8 -x t_file"
+    command: "./.buildkite/runtest_distro.sh rhel 8.8"
     depends_on:
       - make_docker
     agents:
@@ -297,9 +297,9 @@ steps:
       machineType: n2-standard-2
       enableNestedVirtualization: true
 
-  - label: "quark-test on rhel 8.9 (file creation broken)"
+  - label: "quark-test on rhel 8.9"
     key: test_rhel_8_9
-    command: "./.buildkite/runtest_distro.sh rhel 8.9 -x t_file"
+    command: "./.buildkite/runtest_distro.sh rhel 8.9"
     depends_on:
       - make_docker
     agents:
diff --git a/Makefile b/Makefile
index aaf4d90..87d94f7 100644
--- a/Makefile
+++ b/Makefile
@@ -91,7 +91,7 @@ endif
 LIBQUARK_DEPS:= $(filter-out manpages.h, $(LIBQUARK_DEPS))
 LIBQUARK_SRCS:=			\
 	bpf_queue.c		\
-	btf.c			\
+	btf_helper.c	\
 	btfhub.c		\
 	compat.c		\
 	kprobe_queue.c		\
diff --git a/bpf_queue.c b/bpf_queue.c
index c934c67..6f03077 100644
--- a/bpf_queue.c
+++ b/bpf_queue.c
@@ -667,9 +667,14 @@ bpf_queue_open1(struct quark_queue *qq, int use_fentry)
 	}
 
 	if (qq->flags & QQ_FILE) {
+        int use_fsnotify =
+            (6 == btf_number_of_params_op_ptr(btf, "inode_operations", "atomic_open"));
+
 		if (use_fentry) {
 			bpf_program__set_autoload(p->progs.fentry__do_renameat2, 1);
 			bpf_program__set_autoload(p->progs.fentry__do_unlinkat, 1);
+            if (use_fsnotify)
+			    bpf_program__set_autoload(p->progs.fentry__fsnotify, 1);
 			bpf_program__set_autoload(p->progs.fentry__mnt_want_write, 1);
 			bpf_program__set_autoload(p->progs.fentry__vfs_rename, 1);
 			bpf_program__set_autoload(p->progs.fentry__vfs_unlink, 1);
@@ -688,6 +693,8 @@ bpf_queue_open1(struct quark_queue *qq, int use_fentry)
 			bpf_program__set_autoload(p->progs.kretprobe__chown_common, 1);
 			bpf_program__set_autoload(p->progs.kprobe__do_truncate, 1);
 			bpf_program__set_autoload(p->progs.kretprobe__do_truncate, 1);
+            if (use_fsnotify)
+			    bpf_program__set_autoload(p->progs.kprobe__fsnotify, 1);
 			bpf_program__set_autoload(p->progs.kprobe__vfs_writev, 1);
 			bpf_program__set_autoload(p->progs.kretprobe__vfs_writev, 1);
 			bpf_program__set_autoload(p->progs.kprobe__vfs_rename, 1);
diff --git a/btf.c b/btf_helper.c
similarity index 93%
rename from btf.c
rename to btf_helper.c
index b75d118..a408679 100644
--- a/btf.c
+++ b/btf_helper.c
@@ -292,6 +292,50 @@ btf_enum_value(struct btf *btf, const char *dotname, ssize_t *uv)
 	return (-1);
 }
 
+int
+btf_number_of_params_op_ptr(struct btf *btf, const char *ops_struct, const char* op_name)
+{
+	const char *name;
+	struct btf_type const	*ops_t;
+	struct btf_member	*m;
+	int i;
+
+	ops_t = btf_type_by_name_kind(btf, NULL, ops_struct, BTF_KIND_STRUCT);
+
+	if (!btf_is_struct(ops_t)) {
+		errno = EINVAL;
+		goto fail;
+	}
+
+	m = btf_members(ops_t);
+
+	for (i = 0; i < btf_vlen(ops_t); i++, m++) {
+		name = btf__name_by_offset(btf, m->name_off);
+		if (name == NULL)
+			continue;
+
+		if (!strcmp(op_name, name)) {
+			const struct btf_type *t;
+
+			t = btf__type_by_id(btf, m->type);
+			if (t == NULL)
+				return (-1);
+
+			t = btf__type_by_id(btf, t->type);
+			if (t == NULL)
+				return (-1);
+
+			if (!btf_is_func_proto(t))
+				return (-1);
+
+			return (btf_vlen(t));
+		}
+	}
+
+fail:
+	return (-1);
+}
+
 int
 btf_number_of_params(struct btf *btf, const char *func)
 {
diff --git a/elastic-ebpf/GPL/Events/File/Probe.bpf.c b/elastic-ebpf/GPL/Events/File/Probe.bpf.c
index bca6ef7..0725f6a 100644
--- a/elastic-ebpf/GPL/Events/File/Probe.bpf.c
+++ b/elastic-ebpf/GPL/Events/File/Probe.bpf.c
@@ -289,6 +289,10 @@ static int do_filp_open__exit(struct file *f)
     if (fmode & (fmode_t)0x100000) { // FMODE_CREATED
         // generate a file creation event
         prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0);
+    } else if (ebpf_events_state__get(EBPF_EVENTS_STATE_FS_CREATE) != NULL) {
+        // generate a file creation event
+        prepare_and_send_file_event(f, EBPF_EVENT_FILE_CREATE, NULL, 0);
+        ebpf_events_state__del(EBPF_EVENTS_STATE_FS_CREATE);
     } else {
         // check if memfd file is being opened
         struct path p              = BPF_CORE_READ(f, f_path);
@@ -333,6 +337,40 @@ static int do_filp_open__exit(struct file *f)
     return 0;
 }
 
+static int fsnotify__enter(u32 mask)
+{
+    if (mask & 0x100) { // FS_CREATE
+        struct ebpf_events_state state = {};
+        ebpf_events_state__set(EBPF_EVENTS_STATE_FS_CREATE, &state);
+    }
+
+    return 0;
+}
+
+SEC("kprobe/fsnotify")
+int BPF_KPROBE(kprobe__fsnotify,
+               struct inode *to_tell,
+               u32 mask,
+               const void *data,
+               int data_is,
+               const unsigned char *file_name,
+               u32 cookie)
+{
+    return fsnotify__enter(mask);
+}
+
+SEC("fentry/fsnotify")
+int BPF_PROG(fentry__fsnotify,
+             struct inode *to_tell,
+             u32 mask,
+             const void *data,
+             int data_is,
+             const unsigned char *file_name,
+             u32 cookie)
+{
+    return fsnotify__enter(mask);
+}
+
 SEC("fexit/do_filp_open")
 int BPF_PROG(fexit__do_filp_open,
              int dfd,
diff --git a/elastic-ebpf/GPL/Events/State.h b/elastic-ebpf/GPL/Events/State.h
index 45e6c50..c3ae0e5 100644
--- a/elastic-ebpf/GPL/Events/State.h
+++ b/elastic-ebpf/GPL/Events/State.h
@@ -22,6 +22,7 @@ enum ebpf_events_state_op {
     EBPF_EVENTS_STATE_WRITEV         = 8,
     EBPF_EVENTS_STATE_CHOWN          = 9,
     EBPF_EVENTS_STATE_GROUP_DEAD     = 10,
+    EBPF_EVENTS_STATE_FS_CREATE      = 11,
 };
 
 struct ebpf_events_key {
@@ -93,6 +94,7 @@ struct ebpf_events_state {
         struct ebpf_events_writev_state writev;
         struct ebpf_events_chown_state chown;
         /* struct ebpf_events_group_dead group_dead; nada */
+        /* struct ebpf_events_fs_create fs_create; nada */
     };
 };
 
diff --git a/quark.h b/quark.h
index 838df0e..eb659cf 100644
--- a/quark.h
+++ b/quark.h
@@ -80,6 +80,7 @@ ssize_t			 quark_btf_offset(struct quark_btf *, const char *);
 struct btf;
 s32			btf_root_offset(struct btf *, const char *, int);
 int			btf_number_of_params(struct btf *, const char *);
+int			btf_number_of_params_op_ptr(struct btf *, const char *, const char *);
 int			btf_index_of_param(struct btf *, const char *, const char *);
 
 /* bpf_queue.c */