Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Can someone elaborate on what the `active` column indicates on `osquery_events`? It shows as `1` for `process_events` on Linux hosts without process auditing enabled

<https://osquery.io/schema/3.3.2#osquery_events>

```1 if the publisher or subscriber is active else 0```

Yes, but what does active mean in this context? How is it active if it is not enabled via the config?

It is correctly returning zero events, but I do not understand why it shows as active