'collect process events' - so you have osquery running with a launchdaemon? It's an 'evented table', so you'd need to be using a daemon that writes to a file or ships over TLS to your sync server/log collection endpoint