@thor im using osquery 3.2.6 and tested again. I provided that Microsoft-Windows-PowerShell/Operational event channel contained only 5 events... and I see that 10 events is written into osquery_results log file (each event as twice) is this a known issue at osquery 3.2.6 but I couldnt see such a fix in newer versions

Yeah this was a bug that was fixed in 3.2.9. There’s no known issues with the event log publishers on the latest version

thanks

Sorry, this is not a known issue :) I misread you’re issue! I’ll investigate a bit further

OK, it will probably a bug. thanks

This might be because in the powershell events table we only grab script block logs and reconstruct. Whereas the windows events table grabs all of the events, you might be seeing duplicates from that