Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

2c114e3b3a16d99b563e395e06e60531.png

Hi everyone, I'm very new to osquery so sorry if this has been answered before. Currently, I am trying to access the table `windows_events` using `SELECT * FROM windows_events WHERE keywords = "Audit Success";` , but getting this output. How would I go about enabling events?

<https://osquery.readthedocs.io/en/stable/installation/cli-flags/#windows-only-events-control-flags>

You may want to try the `windows_eventlog` table as well.

hi thanks for the replies! so far, I got events enabled with the `--disable_events=false` flag and used the flags `--windows_event_channels=Security` and `--enable_windows_events_subscriber`  to subscribe to the security event channel. now when I run the command, `SELECT * FROM windows_events WHERE keywords = "Audit Success";` , I don't get any errors, but I do get a blank output. Is there a certain flag that I am missing or any further configuration I would need to do to get the events to show?