Hi! I'm trying to set up

windows_events

and have it scheduled every day, but not seeing any results showing in the Snapshot. Am I missing something? I don't have any custom watchdog flags,

events_max

, and

event_expiry

set so they are defaulted to what FleetDM sets it to. I've enabled all the flags and confirmed the

enable_windows_events_subscriber

and

enable_windows_events_publisher

are set to true on the endpoints: host_display_name description name shell_only type value hostname Enables Windows Event Log events enable_windows_events_subscriber 0 bool TRUE hostname Enables the Windows events publisher enable_windows_events_publisher 0 bool TRUE There are multiple events showing when I run

osquery_events

: hostname 1 38387 windows_events Test Scheduled Query:

SELECT computer_name, level, eventid, datetime, source

FROM windows_events

WHERE eventid IN (4608, 4609)

AND source = "Security";

Hey @Jomaree Gammad, have you tried to run the query without the

WHERE

clause to see if that returns anything?

iirc eventid is a string not an int, this is one my old filtered queries, give it a try

SELECT time, datetime, source, provider_name, provider_guid, eventid, task, level, keywords, to_base64(data) AS data, eid FROM windows_events WHERE eventid NOT IN ('4660','4663','4673','4674','4703','4798');

Do you also have

disable_events

set to

false

?

@FG - looks like I'm able to get data to return using your Query. Any specific reason you're not collecting those eventids?

in our environment they were likely super noisy i don't recall now its just to illustrate how you can filter though.

ahh i see. thank you

happy to help.