Hey Everyone! Im currently struggling to get file_events or process_events working. I used orbit to install osquery on an ubuntu box. Added in the flag file the following: --disable_events=false --disable_audit=false --enable_file_events=true --audit_allow_apparmor_events=true --audit_allow_config=true --audit_allow_fim_events=true --audit_allow_process_events=true --audit_allow_seccomp_events --audit_allow_selinux_events=true --audit_allow_socket_events=true --audit_allow_sockets=true --audit_allow_user_events=true --verbose Updated the config file to follow desired paths for testing: file_paths: etc: - /etc/%% tmp: - /tmp/%% homes: - /root/.ssh/%% But still I cant get file_events or process_events to return anything. Any advice on what im doing wrong?

You may want to try eBPF events instead. But if you really need audit events you can check the Troubleshooting on this page. https://osquery.readthedocs.io/en/stable/deployment/process-auditing/