VQL Event plugins are plugins which never terminate - but instead
generate rows based on events. Event plugins are useful for creating
client monitoring artifacts. Currently, client side monitoring
artifacts are specified in the Events section of the server
configuration file. When clients connect to the server, they receive a
list of monitoring artifacts they are to run. The client runs all
artifacts in parallel and their results are streamed to the server.
| Plugin/Function | Type | Description |
|---|---|---|
| clock | Plugin | Generate a timestamp periodically |
| combine | Plugin | Combine the output of several queries into the same result set |
| diff | Plugin | Executes ‘query’ periodically and emit differences from the last query |
| fifo | Plugin | Executes ‘query’ and cache a number of rows from it |
| send_event | Function | Sends an event to a server event monitoring queue |
| watch_auditd | Plugin | Watch log files generated by auditd |
| watch_csv | Plugin | Watch a CSV file and stream events from it |
| watch_etw | Plugin | Watch for events from an ETW provider |
| watch_evtx | Plugin | Watch an EVTX file and stream events from it |
| watch_monitoring | Plugin | Watch clients’ monitoring log |
| watch_syslog | Plugin | Watch a syslog file and stream events from it |
| watch_usn | Plugin | Watch the USN journal from a device |
| wmi_events | Plugin | Executes an evented WMI queries asynchronously |