Hi, I am new with OSQuery, Executing this command in the window, I want to get the window events data, but output is always empty. the output image is attached. Command: C:\WINDOWS\system32>"C:\Program Files\osquery\osqueryi.exe" --json "select * from windows_events" --config_path='C:\Program Files\osquery\osquery.conf' --disable_events=false --enable_windows_events_publisher --enable_windows_events_subscriber --windows_event_channels=System,Application,Setup,Security --verbose Many thanks if someone can help

Hello @Nafees Mushtaq, seems you have single quotes around the

config_path

path which are causing issues with the CLI (you can also see that osquery reports an error in reading the config path, since they do not correctly escape the space in the path). Change them to double quotes. Furthermore though,

windows_events

is an event based table. Events are collected while osquery is running, it's not querying some OS event store, so here the window you have to collect them is very small because that command launches osquery, executes the query to osquery local DB for events immediately, and then closes. That mode of operation would make more sense against

windows_eventlog

which instead queries the event log that Windows keeps.