BPF-based eventing will however not be perfect 😞 I'm sure there's something wrong in the kernel, as the problem can be easily reproduced with BCC

what’s the problem?

First problem was: https://github.com/osquery/osquery/pull/6802#issuecomment-744650811 (solved with kprobes, but tracepoints were better) Second problem is that the bpf_probe_read_str helper fails really often, throwing a wrench in all the event collection/correlation logic