Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

Apple

socket_events

Track network socket bind, connect, and accepts.

Column	Type	Description
action	text	The socket action (bind, connect, accept)
auid	bigint	Audit User ID
eid	text	Event ID *Not returned in `SELECT FROM socket_events`.**
family	integer	The Internet protocol family ID
fd	text	The file description for the process socket
local_address	text	Local address associated with socket
local_port	integer	Local network protocol port number
path	text	Path of executed file
pid	bigint	Process (or thread) ID
protocol	integer	The network protocol ID *Not returned in `SELECT FROM socket_events`.**
remote_address	text	Remote address associated with socket
remote_port	integer	Remote network protocol port number
socket	text	The local path (UNIX domain socket only) *Not returned in `SELECT FROM socket_events`.**
status	text	Either 'succeeded', 'failed', 'in_progress' (connect() on non-blocking socket) or 'no_client' (null accept() on non-blocking socket) Only available on linux
success	integer	Deprecated. Use the 'status' column instead *Not returned in `SELECT FROM socket_events`.**
time	bigint	Time of execution in UNIX time
uptime	bigint	Time of execution in system uptime

Edit page

Ask us anything

Multi platform Device management Orchestration Software management Integrations Pricing

Documentation Support Docs API Release notes Get your license

Company About News Jobs Logos/artwork Why open source?

SOC2 Type 2

Tried Fleet yet?

Get started with Fleet