https://github.com/osquery/osquery logo
r

Ravi Shah

05/05/2020, 6:14 PM
I'm not able to find watchdog events in our SIEM. But I don't know where to check
IF
we're collecting these events in the first place
z

zwass

05/05/2020, 10:56 PM
You'd find these in the status logs. The other thing you can do is schedule a query to the
osquery_schedule
table and look at the
blacklisted
column to see if any queries have been blacklisted by the watchdog.
r

Ravi Shah

05/05/2020, 11:45 PM
Thank you, I'll check that out.
z

zwass

05/05/2020, 11:49 PM
Or even better live query the
osquery_schedule
table if you have that capability.