@Stefano Bonicatti thanks, that indeed helped. Maybe you can hint me on the next questions:1. osquery throws those messages to logs:
E0510 09:44:01.856688 3171 bpfeventpublisher.cpp:435] BPFEventPublisher has encountered 1 malformed events2. In the actual results from bpf_socket_event, in most cases the remote/local address/port are empty or 0. I was expecting that when the familt is 1, I would see real values
05/11/2021, 5:51 PM
for 1: we used to miss some events to a kernel bug with the execve/execveat tracepoints
for 2: we won't get all the ports unless we also see the process calling the bind() system call
05/15/2021, 6:28 PM
thanks a lot. Much appreciate your helpful responses.