Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi guys, i was asking this same thing in the windows channel, so sorry for the spam if you already read this question. Does somebody know what is the best way, to update the parameter `windows_event_channels` ? I tried to update it via fleet, and also via the flags file, but i do not get a consistent behavior. I would say it works better via flags file, but it seems that once a channel is enabled, removing it from the flags file does not take effect. It would seem those channels get stored somehwere.

I have just found out, that if i stop the service and delete all the contents on osquery.db folder , the channels value gets applied properly from both fleet or flags file. However i would like to learn if there is any expected behavior.