https://github.com/osquery/osquery logo
Powered by
Title
t

thor

06/18/2019, 6:25 PM
@A Conno how are you doing it? just like 
osqueryi "select * from windows_events" > my_file.txt"
?
a

A Conno

06/18/2019, 6:30 PM
just like that
t

thor

06/18/2019, 6:31 PM
Ah ok, that wont work because 
windows_events
is an event based table, meaning osquery has to be running interactively, so either dropping to the shell or running as the daemon, before any data will be generated
You can read more about event based vs schedule based tables in the read the docs
a

A Conno

06/18/2019, 6:35 PM
got it - so if I want to get the results outside shell, need to use the daemon?
t

thor

06/18/2019, 6:39 PM
Yeah for this instance you'd be better off using the daemon
a

A Conno

06/18/2019, 9:56 PM
thanks - I was way over-complicating things. just added a couple basic queries to the config, restarted daemon, and events started flowing into logs
👍 1
is there a manual way to flush an events table? i've tried significantly lowering events_expiry, but I don't think the flags file is being read
t

thor

06/21/2019, 3:56 AM
The best you can do is to decrease the query interval to be very close together
3 Views
#windowsJoin Slack
Powered by