Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Are you also changing something in `/etc` ?

The intent of this table is to watch for changes but that watch starts at the point you start osquery.

Also, be sure to pass `--enable_file_events` if you're using osquery 4.6.0

Originally the INotify based publisher was automatically active as soon as one enabled events, but now, like the other publishers, it has its own flag to enable that.

I think osquery would report `Subscriber disabled via configuration` for `file_events` if this were 4.6.0