VQL Event plugins are plugins which never terminate - but instead generate rows based on events.
Event plugins are useful for creating monitoring artifacts, both on clients and on the server.
| Plugin/Function | Type | Description |
|---|---|---|
| clock | Plugin | Generate a timestamp periodically |
| diff | Plugin | Executes ‘query’ periodically and emit differences from the last query |
| fifo | Plugin | Executes ‘query’ and cache a number of rows from it |
| watch_auditd | Plugin | Watch log files generated by auditd |
| watch_csv | Plugin | Watch a CSV file and stream events from it |
| watch_etw | Plugin | Watch for events from an ETW provider |
| watch_evtx | Plugin | Watch an EVTX file and stream events from it |
| watch_journald | Plugin | Watch a journald file and stream events from it |
| watch_jsonl | Plugin | Watch a jsonl file and stream events from it |
| watch_monitoring | Plugin | Watch clients’ monitoring log |
| watch_syslog | Plugin | Watch a syslog file and stream events from it |
| watch_usn | Plugin | Watch the USN journal from a device |
| wmi_events | Plugin | Executes an evented WMI queries asynchronously |