Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

image.png

<@U6EFFT5FG> (because you last worked on this code with the big event batching refactor :slightly_smiling_face: )
Or others:

It appears that the `windows_events` table does not pull in the `Computer` field (I believe this is where it would be pulled out - <https://github.com/osquery/osquery/blob/master/osquery/events/windows/windowseventlogparser.cpp#L145>)

The `Computer` field is extremely important because it is the hostname of the system that the log was originally generated on - it's common to aggregate Windows eventlogs to a few Windows systems using Windows Eventlog Forwarding (WEF) and then ship those to the backend system using something like Winlogbeat/Osquery etc. Without the `Computer` field, the backend system has no idea of where the original log came from.

Further ref:  <https://docs.microsoft.com/en-us/windows/win32/wes/eventschema-computer-systempropertiestype-element>

+1 to this :slightly_smiling_face: I actually opened a FR some time ago: <https://github.com/osquery/osquery/issues/6726>

I haven't stared at the code, but it sounds reasonable and like a small patch. Either of you want to submit a PR?

I could certainly try :slightly_smiling_face:

Just took at a stab it at - <https://github.com/osquery/osquery/pull/6952>