Trying using the name that you get when you right click on t osquery #windows

Join Slack

Trying using the name that you get when you right-...

# windows

defensivedepth

09/20/2021, 1:04 PM

Trying using the name that you get when you right-click on the channel and go to properties, under the name field

Juan Alvarez

09/20/2021, 1:39 PM

That is the one giving me the error 50. I also realized that the file is a .etl file instead of a .evtx file, so it seems to be a special channel somehow.

Stefano Bonicatti

09/20/2021, 2:58 PM

I'm not too familiar with the Windows EventLog but a quick google search seems to suggest that if the channel writes to an

.etl

file, then it cannot be subscribed to, so no events will be generated that osquery can catch. Maybe though those can be queried via the

windows_eventlog

table.

Stefano Bonicatti

09/20/2021, 2:58 PM

https://osquery.io/schema/5.0.1/#windows_eventlog

Stefano Bonicatti

09/20/2021, 2:59 PM

(which is not evented)

Juan Alvarez

09/20/2021, 3:22 PM

I see... so it is a eventlog without events 😄 Ill give it a try to that other table then

Juan Alvarez

09/21/2021, 3:40 PM

It would seem that error is similar via that table:

Copy code

osquery> SELECT * FROM windows_eventlog where channel="Microsoft-Windows-DNSServer/Analytical";
W0921 17:39:11.236779  5024 windows_eventlog.cpp:294] Failed to search event log for query with 50

Maybe am i missing something? Or i just hit a limitation?

Juan Alvarez

09/21/2021, 3:45 PM

According to MSFT docs, https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499- , error 50 is request not supported. If anyone has any ideas on how to overcome this , it would be greatly appreciated! Also thanks @defensivedepth and @Stefano Bonicatti for your insights.

7 Views

Open in Slack

Previous Next