I did have polylogyx working locally for the events tables the other day and now cannot even get that working. Stopping the service and using osqueryi reports back nothing for things like win_process_events or win_socket_events for example...

Here are the steps that normally work 1. Install osquery 2. copy extension into the osquery folder 3. change the flags file and osquery.config with that is provided in github. (Make sure all the paths in the flags file are looking good) 4. Adjust the flags file for the logger to be tls and point it to your fleet DM (along with certs) but leave the config to be filesystem so that the local copy of osquery.conf comes into play (with queries for tables extended by extension) 5. restart the osquery service At this point, osquery should load the extension and the config from osquery.conf should be read giving you the results on fleet DM

Alternatively, you could try https://github.com/polylogyx/plgx-esp (equivalent of fleetDM with in-built support for the extension)

I believe I found the culprit but will update further if anything changes in my findings. Ok so I happen to have --events_expiry set to 0...or I did. That setting apparently prevents the polylogyx _events tables from working. As soon as I set that to the 3600 default it works fine. I was also able to get it connected with fleetdm just fine. As for the osquery.conf file I was really hoping to manage those settings from fleetdm. Is it possible to convert that polylogyx osquert.conf into something that fleetdm can push out so I can apply configs via tls instead of from the local filesystem?

It is possible the answer might inevitably be to try out plgx-esp instead of fleetdm.