Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey  <@U6NAHKA2U> and <@U7X4W9J1X>!  Happy to help. Seems like we are talking about two tables… `windows_eventlog` and `windows_events`.

Let’s start with `windows_eventlog` . So we have disabled querying `windows_eventlog` in Kolide because there seems to be a bug in osquery that on many devices causes it to freeze and not recover until the system is rebooted. See issue <https://github.com/kolide/launcher/issues/670>. It’s possible this is no longer an issue and we can unblock this table, we will look into it!

For the other table `windows_events`. Querying tables ending in  `_events` in Live Query can lead to unexpected results. Sometimes by querying events this way you actually clear them out from the local agent. You can read more about the evented architecture in osquery here. <https://osquery.readthedocs.io/en/stable/development/pubsub-framework/>

Generally for evented tables, you want to use the Log Pipeline so that when the events table is queried, the results are captured and sent to a log destination.

We wrote a post about this topic but for Windows file events. <https://www.kolide.com/blog/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide>. The steps should be similar!