I'm playing with the sample code and noticed that there is no url and hostname in the flow when I make any request in Google Chrome. It requests ip address directly. Probably it has cached DNS? Is it possible to get the hostname somehow?

In the video Mathew said that creating a new ES client triggers cache invalidation. Nothing about that is in the documentation. Maybe there are another cases when the cache gets invalidated? I've noticed that I receive only one AUTH_OPEN request if I open the same file couple of times per second. And I start receiving more requests when I increase time interval between opening the file, like 1 second between opening.

Yeah, I already saw a similar thread about es_event_iokit_open_t and that there is no way to get to the actual device from it.