Welcome to the documentation for Fleet, the lightweight management platform for laptops and servers.
Can't find what you're looking for? Support
Fleet logs the following information for administrative activities (in JSON):
created_at
: Timestamp of the event.id
: Unique ID of the generated event in Fleet.actor_full_name
: Author user name (missing if the user was deleted).actor_id
: Unique ID of the author in Fleet (missing if the user was deleted).actor_gravatar
: Gravatar URL of the author (missing if the user was deleted).actor_email
: E-mail of the author (missing if the user was deleted).type
: Type of the activity (see all types below).details
: Specific details depending on the type of activity (see details for each activity type below).Example:
{
"created_at": "2022-12-20T14:54:17Z",
"id": 6,
"actor_full_name": "Gandalf",
"actor_id": 2,
"actor_gravatar": "[email protected]",
"actor_email": "[email protected]",
"type": "edited_saved_query",
"details":{
"query_id": 42,
"query_name": "Some query name"
}
}
You can automatically send these logs to your log destination. Learn how to configure this here.
To view activities in the UI, click the Fleet icon in the top navigation bar and locate the Activity section.
Following is a summary of the types of administrative activities logged by Fleet:
Generated when creating scheduled query packs.
This activity contains the following fields:
{
"pack_id": 123,
"pack_name": "foo"
}
Generated when editing scheduled query packs.
This activity contains the following fields:
{
"pack_id": 123,
"pack_name": "foo"
}
Generated when deleting scheduled query packs.
This activity contains the following fields:
{
"pack_name": "foo"
}
Generated when applying a scheduled query pack spec.
This activity does not contain any detail fields.
Generated when creating policies.
This activity contains the following fields:
{
"policy_id": 123,
"policy_name": "foo"
}
Generated when editing policies.
This activity contains the following fields:
{
"policy_id": 123,
"policy_name": "foo"
}
Generated when deleting policies.
This activity contains the following fields:
{
"policy_id": 123,
"policy_name": "foo"
}
Generated when applying policy specs.
This activity contains a field "policies" where each item is a policy spec with the following fields:
{
"policies": [
{
"name":"Gatekeeper enabled (macOS)",
"query":"SELECT 1 FROM gatekeeper WHERE assessments_enabled = 1;",
"critical":false,
"platform":"darwin",
"resolution":"To enable Gatekeeper, on the failing device [...]",
"description":"Checks to make sure that the Gatekeeper feature is [...]"
},
{
"name":"Full disk encryption enabled (Windows)",
"query":"SELECT 1 FROM bitlocker_info WHERE drive_letter='C:' AND protection_status=1;",
"critical":false,
"platform":"windows",
"resolution":"To get additional information, run the following osquery [...]",
"description":"Checks to make sure that full disk encryption is enabled on Windows devices."
}
]
}
Generated when creating a new query.
This activity contains the following fields:
{
"query_id": 123,
"query_name": "foo"
}
Generated when editing a saved query.
This activity contains the following fields:
{
"query_id": 123,
"query_name": "foo"
}
Generated when deleting a saved query.
This activity contains the following fields:
{
"query_name": "foo"
}
Generated when deleting multiple saved queries.
This activity contains the following fields:
{
"query_ids": [1, 42, 100]
}
Generated when applying a query spec.
This activity contains a field "specs" where each item is a query spec with the following fields:
{
"specs": [
{
"name":"Get OpenSSL versions",
"query":"SELECT name AS name, version AS version, 'deb_packages' AS source FROM [...]",
"description":"Retrieves the OpenSSL version."
}
]
}
Generated when creating teams.
This activity contains the following fields:
{
"team_id": 123,
"team_name": "foo"
}
Generated when deleting teams.
This activity contains the following fields:
{
"team_id": 123,
"team_name": "foo"
}
Generated when applying team specs.
This activity contains a field "teams" where each item contains the team details with the following fields:
{
"teams": [
{
"id": 123,
"name": "foo"
}
]
}
Generated when a user transfers a host (or multiple hosts) to a team (or no team).
This activity contains the following fields:
null
if transferred to no team.null
if transferred to no team.{
"team_id": 123,
"team_name": "Workstations",
"host_ids": [1, 2, 3],
"host_display_names": ["alice-macbook-air", "bob-macbook-pro", "linux-server"]
}
Generated when agent options are edited (either globally or for a team).
This activity contains the following fields:
null
if global is true).null
if global is true).{
"team_id": 123,
"team_name": "foo",
"global": false
}
Generated when running live queries.
This activity contains the following fields:
{
"targets_count": 5000,
"query_sql": "SELECT * from osquery_info;",
"query_name": "foo"
}
Generated when new users are added via SSO JIT provisioning
This activity does not contain any detail fields.
Generated when users successfully log in to Fleet.
This activity contains the following fields:
{
"public_ip": "168.226.215.82"
}
Generated when users try to log in to Fleet and fail.
This activity contains the following fields:
{
"email": "[email protected]",
"public_ip": "168.226.215.82"
}
Generated when a user is created.
This activity contains the following fields:
{
"user_id": 42,
"user_name": "Foo",
"user_email": "[email protected]"
}
Generated when a user is deleted.
This activity contains the following fields:
{
"user_id": 42,
"user_name": "Foo",
"user_email": "[email protected]"
}
Generated when user global roles are changed.
This activity contains the following fields:
{
"user_id": 42,
"user_name": "Foo",
"user_email": "[email protected]",
"role": "Observer"
}
Generated when user global roles are deleted.
This activity contains the following fields:
{
"user_id": 43,
"user_name": "Foo",
"user_email": "[email protected]",
"role": "Maintainer"
}
Generated when user team roles are changed.
This activity contains the following fields:
{
"user_id": 43,
"user_name": "Foo",
"user_email": "[email protected]",
"role": "Maintainer",
"team_id": 5,
"team_name": "Bar"
}
Generated when user team roles are deleted.
This activity contains the following fields:
{
"user_id": 44,
"user_name": "Foo",
"user_email": "[email protected]",
"role": "Observer",
"team_id": 2,
"team_name": "Zoo"
}
Generated when a host is enrolled in Fleet's MDM.
This activity contains the following fields:
{
"host_serial": "C08VQ2AXHT96",
"host_display_name": "MacBookPro16,1 (C08VQ2AXHT96)",
"installed_from_dep": true,
"mdm_platform": "apple"
}
Generated when a host is unenrolled from Fleet's MDM.
This activity contains the following fields:
{
"host_serial": "C08VQ2AXHT96",
"host_display_name": "MacBookPro16,1 (C08VQ2AXHT96)",
"installed_from_dep": true
}
Generated when the minimum required macOS version or deadline is modified.
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"team_id": 3,
"team_name": "Workstations",
"minimum_version": "13.0.1",
"deadline": "2023-06-01"
}
Generated when the Windows OS updates deadline or grace period is modified.
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.null
if the requirement was removed.null
if the requirement was removed.{
"team_id": 3,
"team_name": "Workstations",
"deadline_days": 5,
"grace_period_days": 2
}
Generated when a user reads the disk encryption key for a host.
This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro",
}
Generated when a user adds a new macOS profile to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"profile_name": "Custom settings 1",
"profile_identifier": "com.my.profile",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user deletes a macOS profile from a team (or no team).
This activity contains the following fields:
null
if it applied to devices that are not in a team.null
if it applied to devices that are not in a team.{
"profile_name": "Custom settings 1",
"profile_identifier": "com.my.profile",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user edits the macOS profiles of a team (or no team) via the fleetctl CLI.
This activity contains the following fields:
null
if they apply to devices that are not in a team.null
if they apply to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user sets the macOS setup assistant for a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"name": "dep_profile.json",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user deletes the macOS setup assistant for a team (or no team).
This activity contains the following fields:
null
if it applied to devices that are not in a team.null
if it applied to devices that are not in a team.{
"name": "dep_profile.json",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user turns on macOS disk encryption for a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user turns off macOS disk encryption for a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user adds a new bootstrap package to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"bootstrap_package_name": "bootstrap-package.pkg",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user deletes a bootstrap package from a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"package_name": "bootstrap-package.pkg",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user turns on end user authentication for macOS hosts that automatically enroll to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user turns off end user authentication for macOS hosts that automatically enroll to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user turns on MDM features for all Windows hosts (servers excluded).
This activity does not contain any detail fields.
Generated when a user turns off MDM features for all Windows hosts.
This activity does not contain any detail fields.
Generated when a script is sent to be run for a host.
This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro",
"script_name": "set-timezones.sh",
"script_execution_id": "d6cffa75-b5b5-41ef-9230-15073c8a88cf",
"async": false
}
Generated when a script is added to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"script_name": "set-timezones.sh",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a script is deleted from a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"script_name": "set-timezones.sh",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user edits the scripts of a team (or no team) via the fleetctl CLI.
This activity contains the following fields:
null
if they apply to devices that are not in a team.null
if they apply to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user adds a new Windows profile to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"profile_name": "Custom settings 1",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user deletes a Windows profile from a team (or no team).
This activity contains the following fields:
null
if it applied to devices that are not in a team.null
if it applied to devices that are not in a team.{
"profile_name": "Custom settings 1",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user edits the Windows profiles of a team (or no team) via the fleetctl CLI.
This activity contains the following fields:
null
if they apply to devices that are not in a team.null
if they apply to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user sends a request to lock a host.
This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro"
}
Generated when a user sends a request to unlock a host.
This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro",
"host_platform": "darwin"
}
Generated when a user sends a request to wipe a host.
This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro"
}
Generated when a user adds a new macOS declaration to a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"profile_name": "Passcode requirements",
"profile_identifier": "com.my.declaration",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user removes a macOS declaration from a team (or no team).
This activity contains the following fields:
null
if it applies to devices that are not in a team.null
if it applies to devices that are not in a team.{
"profile_name": "Passcode requirements",
"profile_identifier": "com.my.declaration",
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user edits the macOS declarations of a team (or no team) via the fleetctl CLI.
This activity contains the following fields:
null
if they apply to devices that are not in a team.null
if they apply to devices that are not in a team.{
"team_id": 123,
"team_name": "Workstations"
}
Generated when a user resends an MDM configuration profile to a host.
This activity contains the following fields:
{
"host_id": 1,
"host_display_name": "Anna's MacBook Pro",
"profile_name": "Passcode requirements"
}
If you notice something we've missed or could be improved on, please follow this link and submit a pull request to the Fleet repo.
Back to top