Hey @maxwhite and @Mathieu Marcotte! Happy to help. Seems like we are talking about two tables…

windows_eventlog

and

windows_events

. Let’s start with

windows_eventlog

. So we have disabled querying

windows_eventlog

in Kolide because there seems to be a bug in osquery that on many devices causes it to freeze and not recover until the system is rebooted. See issue https://github.com/kolide/launcher/issues/670. It’s possible this is no longer an issue and we can unblock this table, we will look into it! For the other table

windows_events

. Querying tables ending in

_events

in Live Query can lead to unexpected results. Sometimes by querying events this way you actually clear them out from the local agent. You can read more about the evented architecture in osquery here. https://osquery.readthedocs.io/en/stable/development/pubsub-framework/ Generally for evented tables, you want to use the Log Pipeline so that when the events table is queried, the results are captured and sent to a log destination. We wrote a post about this topic but for Windows file events. https://www.kolide.com/blog/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide. The steps should be similar!