https://github.com/osquery/osquery logo
Title
a

Arsenio

03/07/2023, 3:32 PM
Hello looking to see if anyone has a way to pull all events from the windows_eventlog table? I know you can do something like this
SELECT * FROM windows_eventlog
WHERE eventid=4720 AND channel='Security'
But i am looking to just pull everything from the Security channel but from my understanding you can wildcard a integer. So something like
SELECT * FROM windows_eventlog
WHERE eventid=% AND channel='Security'
s

Stefano Bonicatti

03/07/2023, 4:07 PM
Not tried but I would expect
>= 0
to work there?
although wait, does it even need the eventid?
As far as I can see from the code the eventid constraint is optional
z

zwass

03/07/2023, 6:06 PM
SELECT * FROM windows_eventlog WHERE channel='Security'
seems like it ought to work.