Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi folks,
A question, we're trying to query certain additional event log books on Windows machines, to be specific a logbook section named VHDMP.  Is this possible? If so, how would we do that?

So far we tried to run queries against both "windows_eventlog" and "windows_events" tables but these seem to include only the primary logs such as system, application and security events.

I believe I've already found the answer to my question. It seems its possible to add additional event log books using the "--windows_event_channels" parameter.

<https://osquery.readthedocs.io/en/stable/installation/cli-flags/#windows-only-events-control-flags>