Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, software catalog Integrations
Docs Pricing
More
News Case studies Ask around Meetups Share your story
The handbook Get your license Schedule a demo
Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

asl

click to open the table of contents
macOS logo

asl

Queries the Apple System Log data structure for system events.

Column Type Description
extra text Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.
facility text Sender's facility. Default is 'user'.
gid bigint GID that sent the log message (set by the server).
host text Sender's address (set by the server).
level integer Log level number. See levels in asl.h.
message text Message text.
pid integer Sending process ID encoded as a string. Set automatically.
ref_pid integer Reference PID for messages proxied by launchd
ref_proc text Reference process for messages proxied by launchd
sender text Sender's identification string. Default is process name.
time integer Unix timestamp. Set automatically
time_nano_sec integer Nanosecond time.
uid bigint UID that sent the log message (set by the server).

Example

Apple System Logger (ASL) is deprecated since macOS 10.12. On older Macs, this table can be used to read logs. On newer ones, see the unified_log table. This example is from the osquery documentation.

SELECT time, message FROM asl WHERE facility = 'authpriv' AND sender = 'sudo' AND message LIKE '%python%';
Edit page

Questions?

Ask us anything
{{table.title}} evented table