https://github.com/osquery/osquery logo
Powered by
Title
d

defensivedepth

09/20/2021, 1:04 PM
Trying using the name that you get when you right-click on the channel and go to properties, under the name field
j

Juan Alvarez

09/20/2021, 1:39 PM
That is the one giving me the error 50. I also realized that the file is a .etl file instead of a .evtx file, so it seems to be a special channel somehow.
s

Stefano Bonicatti

09/20/2021, 2:58 PM
I'm not too familiar with the Windows EventLog but a quick google search seems to suggest that if the channel writes to an 
.etl
file, then it cannot be subscribed to, so no events will be generated that osquery can catch. Maybe though those can be queried via the 
windows_eventlog
table.
https://osquery.io/schema/5.0.1/#windows_eventlog
(which is not evented)
j

Juan Alvarez

09/20/2021, 3:22 PM
I see... so it is a eventlog without events 😄 Ill give it a try to that other table then
It would seem that error is similar via that table: 
osquery> SELECT * FROM windows_eventlog where channel="Microsoft-Windows-DNSServer/Analytical";
W0921 17:39:11.236779  5024 windows_eventlog.cpp:294] Failed to search event log for query with 50
Maybe am i missing something? Or i just hit a limitation?
According to MSFT docs, https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499- , error 50 is request not supported. If anyone has any ideas on how to overcome this , it would be greatly appreciated! Also thanks @defensivedepth and @Stefano Bonicatti for your insights.
6 Views
#windowsJoin Slack
Powered by