<@U0JT049S4> im using osquery 3.2.6 and tested ag...
# windowsm
Mustafa
07/20/2018, 8:56 AM@thor im using osquery 3.2.6 and tested again. I provided that Microsoft-Windows-PowerShell/Operational event channel contained only 5 events... and I see that 10 events is written into osquery_results log file (each event as twice)
is this a known issue at osquery 3.2.6 but I couldnt see such a fix in newer versions
t
thor
07/20/2018, 2:06 PM
Yeah this was a bug that was fixed in 3.2.9. There’s no known issues with the event log publishers on the latest version
m
Mustafa
07/20/2018, 2:15 PMthanks
t
thor
07/20/2018, 2:51 PM
Sorry, this is not a known issue :) I misread you’re issue! I’ll investigate a bit further
m
Mustafa
07/20/2018, 2:53 PMOK, it will probably a bug. thanks
t
thor
07/20/2018, 3:13 PM
This might be because in the powershell events table we only grab script block logs and reconstruct. Whereas the windows events table grabs all of the events, you might be seeing duplicates from that
thor
07/20/2018, 3:14 PM
But yeah this might be a bug
3 Views