Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

Linux

Windows

ChromeOS

windows_eventlog

Table for querying all recorded Windows event logs.

Column	Type	Description
channel	text	Source or channel of the event Required in `WHERE` clause
computer_name	text	Hostname of system where event was generated
data	text	Data associated with the event
datetime	text	System time at which the event occurred
eventid	integer	Event ID of the event
keywords	text	A bitmask of the keywords defined in the event
level	integer	Severity level associated with the event
pid	integer	Process ID which emitted the event record
provider_guid	text	Provider guid of the event
provider_name	text	Provider name of the event
task	integer	Task value associated with the event
tid	integer	Thread ID which emitted the event record
time_range	text	System time to selectively filter the events *Not returned in `SELECT FROM windows_eventlog`.**
timestamp	text	Timestamp to selectively filter the events *Not returned in `SELECT FROM windows_eventlog`.**
xpath	text	The custom query to filter events Required in `WHERE` clause *Not returned in `SELECT FROM windows_eventlog`.**

Example

Tracking user account changes is a key part of both detection & incident response. This query lists all Windows Eventlogs from the Security channel with an EventID of 4720 - A user account was created. There are many other relevant EventIDs that should be monitored as well:

SELECT datetime,computer_name,data FROM windows_eventlog WHERE eventid=4720 AND channel='Security'

Notes

This is not an evented table - instead, it pulls directly from the local system's existing eventlogs.
The information returned in the data column will be JSON formatted, which will require additional parsing.

Edit page