the TL;DR is that i can only semi-reproduce the issue on a VM. It seems to only affect osquery installs that have gone through a long upgrade chain. The good news is that downgrading seems to be a workaround that doesnt involve nuking the DB: https://github.com/facebook/osquery/issues/4615

@clong - I commented on it but, do you have the output from the

auditctl -l

and

auditctl -s

commands?

yeah, so everything in auditctl looks kosher. It’s enabled, pid points to the right process, the 3 rules are loaded, etc