Hello does anyone have experience with the `windows eventlog

Question

Hello does anyone have experience with the `windows eventlog` table and figuring out what command to run to check what channels are available from the endpoint I did a simple `select channel from windows eventlog where channel like ` and seems like that does not work wondering if anyone has a workaround to share Thanks

manu · Answer

`windows eventlog` takes in `channel` as the input in the constraint via WHERE clause User has to specify channels in the conf files `channel` is used to filter out event specific to that via `windows eventlog` So from the table it doesn t add much as it will at most list out channel specified in the conf file

manu · Answer

osquery gt select channel from windows eventlog where channel= Microsoft Windows PowerShell Operational limit 1 + + | channel | + + | Microsoft Windows PowerShell Operational | + +

manu · Answer

```osquery gt select channel from windows eventlog where channel like Microsoft Windows PowerShell Operational limit 1 W0330 17 30 48 204026 14084 windows eventlog cpp 281 Query constraints are invalid the event channel or xpath must be specified osquery gt select channel from windows eventlog where channel like powershell W0330 17 31 46 588500 14084 windows eventlog cpp 281 Query constraints are invalid the event channel or xpath must be specified```

manu · Answer

e g in my conf file i added below mentioned channels to subscribe to ``` windows event channels=Security Microsoft Windows PowerShell Operational```

metalgearsolid · Answer

Thanks a lot mate i guess the idea is that we need to specify the name of the evtlog file in channel specifically

metalgearsolid · Answer

Just thinking it would be nice if constraints are specified in the osquery schema i don t believe i saw that just now when i checked