I am trying to bring process and socket events together. Socket audit (i.e. socket_events) already report the pid, so I thought I can easily match it with process audit (i.e. process_events). Although this works well in case doing a ping, it does not work in case of curling. From the curl example you can see that there was the pid 12425 being able to make a connect call to google on port 80. However, this pid does not appear in the process_events. Any idea what the reason is?