Hey I've some pretty basic doubt. If osqueryd is running and collecting events and I restart the daemon for some reason, would I lose events that were not queried before the restart ? Assuming all those buffer/Rocksdb etc do not run out of size and are well within defined thresholds.

Events that were not queried before the restart will not be lost. They will remain in the RocksDB buffer. Of course, you will miss any events that happened while osquery was not running.

Thanks