https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello looking to see if anyone has a way to pull a...
# windows
a
Hello looking to see if anyone has a way to pull all events from the windows_eventlog table? I know you can do something like this
Copy code
SELECT * FROM windows_eventlog
WHERE eventid=4720 AND channel='Security'
But i am looking to just pull everything from the Security channel but from my understanding you can wildcard a integer. So something like
Copy code
SELECT * FROM windows_eventlog
WHERE eventid=% AND channel='Security'
s
Not tried but I would expect 
>= 0
to work there?
although wait, does it even need the eventid?
As far as I can see from the code the eventid constraint is optional
z
SELECT * FROM windows_eventlog WHERE channel='Security'
seems like it ought to work.
15 Views
Open in Slack
PreviousNext
Powered by