Title
#windows
m

metalgearsolid

03/30/2021, 10:20 AM
Hello, does anyone have experience with the
windows_eventlog
table and figuring out what command to run to check what channels are available from the endpoint? I did a simple
select channel from windows_eventlog where channel like '%'
and seems like that does not work, wondering if anyone has a workaround to share? Thanks!
manu

manu

03/30/2021, 12:00 PM
windows_eventlog
takes in
channel
as the input in the constraint via WHERE clause. User has to specify channels in the conf files.
channel
is used to filter out event specific to that via
windows_eventlog
. So from the table it doesn't add much as it will at most list out channel specified in the conf file.
12:01 PM
osquery> select channel from windows_eventlog where channel='Microsoft-Windows-PowerShell/Operational' limit(1); +------------------------------------------+ | channel | +------------------------------------------+ | Microsoft-Windows-PowerShell/Operational | +------------------------------------------+
12:02 PM
osquery> select channel from windows_eventlog where channel like 'Microsoft-Windows-PowerShell/Operational' limit(1);
W0330 17:30:48.204026 14084 windows_eventlog.cpp:281] Query constraints are invalid: the event channel or xpath must be specified
osquery> select channel from windows_eventlog where channel like '%powershell%';
W0330 17:31:46.588500 14084 windows_eventlog.cpp:281] Query constraints are invalid: the event channel or xpath must be specified
12:04 PM
e.g. in my conf file i added below mentioned channels to subscribe to.
--windows_event_channels=Security,Microsoft-Windows-PowerShell/Operational
m

metalgearsolid

03/30/2021, 12:27 PM
Thanks a lot mate, i guess the idea is that we need to specify the name of the evtlog file in channel specifically.
12:28 PM
Just thinking it would be nice if constraints are specified in the osquery schema, i don’t believe i saw that just now when i checked