Sophos Endpoint

Events Help on creating event log query

Sophos Endpoint requires membership for participation - click to join

Complete

over 2 years ago

This has been answered in the comments section.

Help on creating event log query

Hi,

please can you help me in creating a query for extracting the last # events of Windows Application event log?

Thanks

Giovanni

GiovanniGiovannelli

Top Comments

Karl Ackerman over 3 years ago +1

Hi Giovanni, Sophos keeps a copy of the windows events in our own journal to protect from some adversary deleting the logs. To get a list of only the last N Application log events you can use this query…

GiovanniGiovannelli over 3 years ago

Thank you ;-) Giovanni
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Karl Ackerman over 3 years ago

Hi Giovanni,

Sophos keeps a copy of the windows events in our own journal to protect from some adversary deleting the logs. To get a list of only the last N Application log events you can use this query. SELECT * FROM sophos_windows_events WHERE time >strftime('%s','now','-1 days') AND source = 'Application' ORDER BY time DESC LIMIT 100; Note a few things I chose to do. Time range: I set a time range of the last 1 day. This journal can be very large and by default any select from the table would start by searching the whole table. I did this with a strftime function. Next I wanted to limit this to application events and not every thing else so selected source = 'Application' Note that the information you may be interested in is in the data field. If you want to select specific cols you will need to do a more focused SELECT instead of SELECT *. You can use json_extract to create cols from the json data if need be Last we set the limit to 100. EVENT ID information is online if you need to translate the EVENT ID information. www.ultimatewindowssecurity.com/.../

Hope that helps and thanks for the question.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel