I m not able to find watchdog events in our SIEM But I don t

Question

I m not able to find watchdog events in our SIEM But I don t know where to check `IF` we re collecting these events in the first place

zwass · Answer

You d find these in the status logs The other thing you can do is schedule a query to the `osquery schedule` table and look at the `blacklisted` column to see if any queries have been blacklisted by the watchdog

Ravi Shah · Answer

Thank you I ll check that out

zwass · Answer

Or even better live query the `osquery schedule` table if you have that capability