Am looking for a way to enable process_file_events table in Linux environment, I was able to enable file_events using command line osquery.flags. Osquery is configured via fleetdm i have below config to enable process_file_events in osquery.flags --disable_events=false --disable_audit=false --enable_file_events=true --audit_allow_config=true --audit_allow_fim_events=true --audit_allow_process_events=true --audit_persist=true can you give me points what am i missing

Do you also have file_paths configured in Fleet ? OSQuery has an example one, if you are using Fleet for config you will have to convert to YAML

Yes it is configured and file_events table is able to pick the paths

what Kernel version are you on ?

3.10.0-1160.53.1.el7.x86_64