Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

This is a test tbh to see how wel logging of osquery looks at scale.  We write to file and ingest from there typically, we are evaluating the wel logger now to streamline our pipelines. 

Screen Shot 2019-01-30 at 8.16.28 AM.png

But when I use the `Log Name` above to subscribe to the events I am not able to subscribe.  nxlog and winlogbeat are unable to locate the logs with that identifier

Screen Shot 2019-01-30 at 8.13.23 AM.png

Sorry for the repeated deletes I had to blackout part of the image

Care to share?  I can’t find any combo that will allow me to subscribe to the osquery wel channel

Ok after trial and error if you subscribe to `osquery` as your provider/channel you can read the WEL osquery channel.

I am trying to see why I am missing the contents of the message field.  All I am getting in the message field atm is `Information` and the rest of the json isn’t being read.  But that is likely my parser