Dear i have a question, i would like to enable the support to Windows Event Log, but i don't have the file osquery.man under the osquery directory ...who can help me?

Hey, I am not sure if that helps - but from https://github.com/facebook/osquery/blob/master/docs/wiki/installation/install-windows.md, it seems like you can also use 'manage-osqueryd.ps1' - which is installed by default with osquery on Windows. Install: .\manage-osqueryd.ps1 -installWelManifest Uninstall: .\manage-osqueryd.ps1 -uninstallWelManifest BTW, if you didn't do it yet, you should add --windows_event_channels to your flags, I set it to: --windows_event_channels=System,Application,Setup,Security,Microsoft-Windows-PowerShell/Operational. I also used --disable_events=false, though I am not completely sure it is a must with windows_events...

ah great ..thanks

Sorry for the late response. List of Windows event log channels to subscribe to. By default the Windows event log publisher will subscribe to some of the more common major event log channels. However you can subscribe to additional channels using the Log Name field value in the Windows event viewer. To see the list of possible event logs open Event Viewer in Windows, and search the log names.

No problem thanks for the response .

Once you enabled Windows events and subscribed to the channels you wanted, osquery is able to query the events from the Windows event logger. Of course - you have to query the Windows_events table to get the data regarding the windows events:

select * from windows_events

. Afaik, the windows_events tables (though ends with '_events') is not a pure osquery event table - thus you can try query it even in osqueryi if you use the proper flags. Nevertheless, using scheduled query for event tables is probably preferable - using Kolide fleet or any other fleet management tool can be useful for you but not mandatory, you can also log scheduled queries to a log file and read it from there.

Thanks a lot super super useful !!! Really thanks