Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi There, does anyone know how to solve the following issue? : Expiring events for subscriber: windows_events (overflowed limit 50000)

Are you selecting from the windows_events tables? It's normal for events to expire so that the osquery db doesn't fill the disk.

Yeah what <@U0JFM04MS> said. That table fills up pretty quickly, so you'll wanna have a relatively frequent interval. We typically use like 3 minutes? So 180.

Also check what WEL channels you've subscribed to. It's common to just want all of the data, but currently osquery doesn't have great support for forwarding out huge amounts of data, but this is on the way. For now it's better to try and be more selective about what event logs you'd like to get out of the system, and only subscribe to those channels