Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

<@U51GTKKCK> can you paste the output of --verbose? (you can just append that flag to your osquery.flags)

<@U6EFFT5FG> - Just added `--verbose` and after restarting it, the kernel now is configured to send events to the right PID.

Oh fun, well, the worker still sits at 100% CPU usage on `3.1.0` like it was doing on `2.10.0`. I’ll gather a bunch of info and see if I can tweak some other things as well.

Ah ha! It happened again, it looks like after the worker is killed by the watchdog process for consuming too much CPU, the kernel isn’t getting renotified for the PID of the new worker process. Will test some more to confirm this though