Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@UJKKTU947> can you try it again with a new database?

there should be a flag to specify where the database is stored; you could pass a path to another folder so you can test this without renaming/removing the original database

I think the flag is named --database_path, but you can check with --help

If it works with a new database, then a database migration (performed when osquery was last updated) may have damaged the event-related keys in the database

It won't let me run osqueryi with a --database_path to a folder that doesn't contain an osquery database. Can I just kill the one in /var/osquery?

yeah, you can. maybe you can rename it for now instead of deleting it

ok, I did that and it created a new osquery.db, but when in osqueryi shell I still get no results from `select * from process_events;`

uhm are the osquery flags correct, according to <https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-auditing> ?

can you also paste the contents of /etc/security/audit_control ?

```#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated```

that file seems ok, can you try with sudo osqueryd -S --verbose --disable_audit=false --disable_events=false ?

those flags are already set in my osqeury.conf file, and when I run `osqueryi` I can run the command which shows which flags are active

What version of osquery are you using and has this changed in within the few months?

Remember that `osqueryi` and `osqueryd` may not be using the same config file, so double check! When testing in the shell using `select * from osquery_events` and looking at the `active` column for `process_events` will give a strong indicator if the table is working.

An OS update may have happened too, do you mind sharing your current OS version so we can help reproduce?

I am on MacOS 10.14.6 and osquery version 3.3.2 (I have been on since May). When running `select * from osquery_events`I can see an `active` flag for the `process_events`

Seems to be working now.. Some tinkering along the way must have kicked it back into action. I'll try and find out what the issue was