Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

:wave: Has anyone else reported issues with osquery v 5.11.0 on windows, specifically the windows_eventlog table not working? Using Fleet for orchestration, query looks good in the UI linter, but when targeting Only machines I get an error.

Query:
```SELECT * FROM windows_eventlog WHERE eventid = 4663 AND channel = "Security" and keywords = "Audit Success" AND xpath LIKE "%ScreenConnect%" LIMIT 10;```

Screenshot 2024-02-21 at 2.46.51 PM.png

looking for evidence of screenconnect events as an example here.

That seems more like a FleetDM issue, which is maybe selecting endpoints that are not Windows to run the query, or maybe they have a `--disable_tables=windows_eventlog`

Just to understand, have you tried to query a single machine with this?
I would also check  with <#C01DXJL16D8|>

ah good call and very possible, i don't manage the service, let me look into that, would make complete sense thank you.

Like, don't get me wrong, that error comes from osquery, but when there's another software in between it's more difficult to understand what's happening :slightly_smiling_face:

yeah i forgot that you could stack configs when fleet is in the pipeline.