Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

macadmins_unified_log

click to open the table of contents
macOS logo

macadmins​_unified​_log

Allows querying macOS unified logs.

Column Type Description
activity_identifier int The identifier of the log activity.
boot_uuid text The boot UUID of the event.
category text The category of the log activity.
event_message text The message of the log entry.
event_type text The type of event, this can be logEvent, signpostEvent or stateEvent.
format_string text The format string used to convert variable content into a string for output.
log_level text The log level of this item, such as default, info, fault, etc.
parent_activity_identifier uint ID of the parent activity
process_id bigint Process ID of the process that generated this log item, which can be joined to multiple other tables including a PID.
process_image_path text The full path of the process that originated the event.
sender_image_path text The full path of the library, framework, kernel extension, or mach-o image, that originated the event.
sender_image_uuid text The UUID of the library, framework, kernel extension, or mach-o image, that originated the event.
sender_program_counter uint The program counter of the library, framework, kernel extension, or mach-o image, that originated the event.
subsystem text The subsystem responsible for this activity.
thread_id bigint The ID of the thread that originated the event.
timestamp bigint Timestamp in UNIX time format.
trace_id text The ID of a trace event

Example

Select the log entries that happened during the last minute and are related to LaunchServices. Convert the UNIX time to a human readable format, and the signature table to verify its cryptographic signature.

SELECT u.category, u.event_message, u.process_id, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM macadmins_unified_log u JOIN processes p ON u.process_id = p.pid JOIN signature s ON p.path = s.path WHERE u.sender_image_path LIKE '%LaunchServices%' AND last = "1m";

Notes

This table is from the Mac Admins osquery extension.

Edit page

Questions?

Ask us anything
{{table.title}} evented table