https://github.com/osquery/osquery logo
Powered by
Title
z

zhong

12/21/2021, 8:34 PM
Hi everyone, I'm very new to osquery so sorry if this has been answered before. Currently, I am trying to access the table 
windows_events
using 
SELECT * FROM windows_events WHERE keywords = "Audit Success";
, but getting this output. How would I go about enabling events?
g

George

12/21/2021, 9:14 PM
https://osquery.readthedocs.io/en/stable/installation/cli-flags/#windows-only-events-control-flags
z

zwass

12/21/2021, 9:43 PM
You may want to try the 
windows_eventlog
table as well.
z

zhong

12/22/2021, 8:24 PM
hi thanks for the replies! so far, I got events enabled with the 
--disable_events=false
flag and used the flags 
--windows_event_channels=Security
and 
--enable_windows_events_subscriber
to subscribe to the security event channel. now when I run the command, 
SELECT * FROM windows_events WHERE keywords = "Audit Success";
, I don't get any errors, but I do get a blank output. Is there a certain flag that I am missing or any further configuration I would need to do to get the events to show?
3 Views
#windowsJoin Slack
Powered by