Event Plugins

VQL Event plugins are plugins which never terminate - but instead generate rows based on events. Event plugins are useful for creating client monitoring artifacts. Currently, client side monitoring artifacts are specified in the Events section of the server configuration file. When clients connect to the server, they receive a list of monitoring artifacts they are to run. The client runs all artifacts in parallel and their results are streamed to the server.

Plugin/FunctionTypeDescription
clockPluginGenerate a timestamp periodically
combinePluginCombine the output of several queries into the same result set
diffPluginExecutes ‘query’ periodically and emit differences from the last query
fifoPluginExecutes ‘query’ and cache a number of rows from it
send_eventFunctionSends an event to a server event monitoring queue
watch_auditdPluginWatch log files generated by auditd
watch_csvPluginWatch a CSV file and stream events from it
watch_etwPluginWatch for events from an ETW provider
watch_evtxPluginWatch an EVTX file and stream events from it
watch_monitoringPluginWatch clients’ monitoring log
watch_syslogPluginWatch a syslog file and stream events from it
watch_usnPluginWatch the USN journal from a device
wmi_eventsPluginExecutes an evented WMI queries asynchronously
comments powered by Disqus