Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Orchestration
Automate tasks across devices, from app installs to scripts.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Stripe + Fleet
Stripe consolidates multiple tools with Fleet.
Foursquare + Fleet
Foursquare quickly migrates to Fleet for device management.
What people are saying
Stories from the Fleet community.
Pricing
More
Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
process_events
process_events EVENTED TABLE
Track time/action process executions.
| Column | Type | Description |
|---|---|---|
| atime | bigint | File last access in UNIX time |
| auid | bigint | Audit User ID at process start |
| btime | bigint | File creation in UNIX time |
| cmdline | text | Command line arguments (argv) |
| cmdline_size | bigint | Actual size (bytes) of command line arguments Not returned in SELECT * FROM process_events. |
| ctime | bigint | File last metadata change in UNIX time |
| cwd | text | The process current working directory |
| egid | bigint | Effective group ID at process start |
| eid | text | Event ID Not returned in SELECT * FROM process_events. |
| env | text | Environment variables delimited by spaces Not returned in SELECT * FROM process_events. |
| env_count | bigint | Number of environment variables Not returned in SELECT * FROM process_events. |
| env_size | bigint | Actual size (bytes) of environment list Not returned in SELECT * FROM process_events. |
| euid | bigint | Effective user ID at process start |
| fsgid | bigint | Filesystem group ID at process start Only available on Linux |
| fsuid | bigint | Filesystem user ID at process start Only available on Linux |
| gid | bigint | Group ID at process start |
| mode | text | File mode permissions |
| mtime | bigint | File modification in UNIX time |
| overflows | text | List of structures that overflowed Not returned in SELECT * FROM process_events. |
| owner_gid | bigint | File owner group ID |
| owner_uid | bigint | File owner user ID |
| parent | bigint | Process parent's PID, or -1 if cannot be determined. |
| path | text | Path of executed file |
| pid | bigint | Process (or thread) ID |
| sgid | bigint | Saved group ID at process start Only available on Linux |
| status | bigint | OpenBSM Attribute: Status of the process Only available on macOS |
| suid | bigint | Saved user ID at process start Only available on Linux |
| syscall | text | Syscall name: fork, vfork, clone, execve, execveat Only available on Linux |
| time | bigint | Time of execution in UNIX time |
| uid | bigint | User ID at process start |
| uptime | bigint | Time of execution in system uptime |
Questions?
SOC2 Type 2
