Please see https://osquery.readthedocs.io/en/stable/development/pubsub-framework/ on how osqueryi and _events tables are not compatible. In other words, run osquery as a daemon for the FIM feature.

@Jams @sonal k It’s possible to receive events while in the shell, for testing; but as far as I can see the table used is a Windows one, and the file paths configured are for Linux

I was able to resolve it. 👍