Hi everyone, I'm very new to osquery so sorry if this has been answered before. Currently, I am trying to access the table

windows_events

using

SELECT * FROM windows_events WHERE keywords = "Audit Success";

, but getting this output. How would I go about enabling events?

You may want to try the

windows_eventlog

table as well.

hi thanks for the replies! so far, I got events enabled with the

--disable_events=false

flag and used the flags

--windows_event_channels=Security

and

--enable_windows_events_subscriber

to subscribe to the security event channel. now when I run the command,

SELECT * FROM windows_events WHERE keywords = "Audit Success";

, I don't get any errors, but I do get a blank output. Is there a certain flag that I am missing or any further configuration I would need to do to get the events to show?