Problems about zeek-agent on Linux

[byamao1]

When I use zeek-agent, I have some problems.

This is my enviroment: CentOS Linux release 7.8.2003 OSquery 4.2.0 zeek 3.0.12 zeek-agent 1.0.2 zeek-agent-framework 0.4

My work:

• installed zeek, OSquery, zeek-agent, zeek-agent-framework successfully
• config zeek-agent { "server_address": "127.0.0.1", "server_port": 9999, "log_folder": "/var/log/zeek", "max_queued_row_count": 5000, "osquery_extensions_socket": "/var/osquery/osquery.em", "group_list": [] }
• config /opt/zeek/share/zeek/site/local.zeek , add this at the end: @load zeek-agent
• config /opt/zeek/share/zeek/site/zeek-agent/load.zeek , add this at the end: @load ./examples/auditd
• start auditd service, start osqueryd
• start zeek-agent sudo zeek-agent
• start zeekctl zeekctl deploy zeekctl [ZeekControl] > start

Everything is right. I could find logs in /opt/zeek/logs/current: broker.log conn.log dns.log ntp.log stats.log stdout.log zeek-agent.log capture_loss.log dhcp.log loaded_scripts.log packet_filter.log stderr.log weird.log but I can't see any log name starting with "agent_" , such as: agent_socket_events.log agent_process_events.log (from vZW20 - Day 2 - Zeek Agent: Correlating Host & Network Logs for Better Forensics - Wajih Ul Hassan).

My questions:

1. Was there any wrong in my actions?
2. Where are agent_socket_events.log agent_process_events.log?
3. What is the relation between virtual tables and "agent_*.log" ?
4. Virtual tables are stored in sqlite or osquery?

Thank you very much!