Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe consolidates multiple tools with Fleet.

Foursquare + Fleet

Foursquare + Fleet

Foursquare quickly migrates to Fleet for device management.

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

asl

click to open the table of contents
macOS logo

asl

Queries the Apple System Log data structure for system events.

Column Type Description
extra text Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h.
facility text Sender's facility. Default is 'user'.
gid bigint GID that sent the log message (set by the server).
host text Sender's address (set by the server).
level integer Log level number. See levels in asl.h.
message text Message text.
pid integer Sending process ID encoded as a string. Set automatically.
ref_pid integer Reference PID for messages proxied by launchd
ref_proc text Reference process for messages proxied by launchd
sender text Sender's identification string. Default is process name.
time integer Unix timestamp. Set automatically
time_nano_sec integer Nanosecond time.
uid bigint UID that sent the log message (set by the server).

Example

Apple System Logger (ASL) is deprecated since macOS 10.12. On older Macs, this table can be used to read logs. On newer ones, see the unified_log table. This example is from the osquery documentation.

SELECT time, message FROM asl WHERE facility = 'authpriv' AND sender = 'sudo' AND message LIKE '%python%';
Edit page

Questions?

Ask us anything
{{table.title}} evented table