ok... figured it out... osquery was starting up before filebeat, so the OS, OS version, packages, and filemounts were not being correctly consumed by Filebeat. The fix I realized was to stop osqueryd, wipe out the rocksdb files, restart osqueryd, and everything came streaming in 🙂