hello team,
I encountered something that looks like a bug with bpf_socket_events. the ‘parent’ field is showing a process ID which is missing the first digit. Here is an example. Any clue?
osquery> select pid,parent from bpf_socket_events where remote_address = ‘10.28.11.73’;
[
{“parent”:“100965",“pid”:“2101011"}
]
osquery> select pid,parent from processes where pid = ‘2101011’;
[
{“parent”:“2100965",“pid”:“2101011"}
]