Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello, does anyone have experience with the `windows_eventlog` table and figuring out what command to run to check what channels are available from the endpoint? I did a simple `select channel from windows_eventlog where channel like '%'` and seems like that does not work, wondering if anyone has a workaround to share? Thanks!

`windows_eventlog` takes in `channel` as the input in the constraint via WHERE clause. User has to specify channels in the conf files. `channel` is used to filter out event specific to that via `windows_eventlog`.  So from the table it doesn't add much as it will at most  list out channel specified in the conf file.

osquery&gt; select channel from windows_eventlog where channel='Microsoft-Windows-PowerShell/Operational' limit(1);
+------------------------------------------+
| channel                                  |
+------------------------------------------+
| Microsoft-Windows-PowerShell/Operational |
+------------------------------------------+

```osquery&gt; select channel from windows_eventlog where channel like 'Microsoft-Windows-PowerShell/Operational' limit(1);
W0330 17:30:48.204026 14084 windows_eventlog.cpp:281] Query constraints are invalid: the event channel or xpath must be specified
osquery&gt; select channel from windows_eventlog where channel like '%powershell%';
W0330 17:31:46.588500 14084 windows_eventlog.cpp:281] Query constraints are invalid: the event channel or xpath must be specified```

e.g. in my conf file i added below mentioned channels to subscribe to.
```--windows_event_channels=Security,Microsoft-Windows-PowerShell/Operational```

Thanks a lot mate, i guess the idea is that we need to specify the name of the evtlog file in channel specifically.

Just thinking it would be nice if constraints are specified in the osquery schema, i don’t believe i saw that just now when i checked