Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@U5N98A8QJ> those errors are rare, but! You most likely have something turning on events, if you're on Linux then a `/etc/osquery/osquery.flags` or `/etc/osquery/osquery.flags.default` with a `--nodisable_events` or `--disable_events=false` will enable the event publishers for the shell. A config could also turn them on, `--config_dump` will write the config JSON. Next, why are the events failing? Those are all `pipe`-based to some API that is privileged on the OS, so you could be running as a restricted user, or have cgroups limiting the binary's permissions?

Saw exactly the same error. Stuck for a couple of days and finally figured out what was wrong. The issue is I have `auditd` running on my centos7 server as well, which steals all the events need to be sent to osquery.  After I disabled `auditd`, everything works properly. I know this is old, but still wanna leave a message here in case anybody else has the same issue.