metalgearsolid
03/30/2021, 10:20 AMwindows_eventlog
table and figuring out what command to run to check what channels are available from the endpoint? I did a simple select channel from windows_eventlog where channel like '%'
and seems like that does not work, wondering if anyone has a workaround to share? Thanks!manu
03/30/2021, 12:00 PMwindows_eventlog
takes in channel
as the input in the constraint via WHERE clause. User has to specify channels in the conf files. channel
is used to filter out event specific to that via windows_eventlog
. So from the table it doesn't add much as it will at most list out channel specified in the conf file.osquery> select channel from windows_eventlog where channel like 'Microsoft-Windows-PowerShell/Operational' limit(1);
W0330 17:30:48.204026 14084 windows_eventlog.cpp:281] Query constraints are invalid: the event channel or xpath must be specified
osquery> select channel from windows_eventlog where channel like '%powershell%';
W0330 17:31:46.588500 14084 windows_eventlog.cpp:281] Query constraints are invalid: the event channel or xpath must be specified
--windows_event_channels=Security,Microsoft-Windows-PowerShell/Operational
metalgearsolid
03/30/2021, 12:27 PM