So a couple of additional notes on the matter 1. We should rename exit_code to syscall_exit_code or something else that better describes the meaning of that value 2. It is possible to capture the program exit code, but that requires additional tracing (exit and exit_group). If you think it could be useful, we could open a feature request/blueprint 3. In the case of Audit, when receiving SYSCALL events we discard everything if the 'success' field is not set to 'yes'. This means that failed execve/execveat should never appear under Audit. I think that BPF should follow what Audit is doing here

for 3 - this prevents osquery from tracking async sockets which is a bummer.

That is true, I actually had a PR for changing this; the problem is that unless we start tracking the file descriptors there is no way to tell if a file descriptor has the async non-blocking flag set

I don't see exit codes (syscall or otherwise) as being an exceedingly important datapoint to have (from a security perspective at least). I would be happy just seeing the column renamed to

syscall_exit_code