Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, software catalog Integrations
Docs Pricing
More
News Case studies Ask around Meetups Share your story
The handbook Get your license Schedule a demo
Try it yourself

Tables

Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.

macOS Apple

Linux Linux

Windows Windows

Chrome ChromeOS

unified_log

click to open the table of contents
macOS logo

unified​_log

Queries the OSLog framework for entries in the system log. The maximum number of rows returned is limited for performance issues. Use timestamp > or >= constraints to optimize query performance. This table introduces a new idiom for extracting sequential data in batches using multiple queries, ordered by timestamp. To trigger it, the user should include the condition "timestamp > -1", and the table will handle pagination. Note that the saved pagination counter is incremented globally across all queries and table invocations within a query. To avoid multiple table invocations within a query, use only AND and = constraints in WHERE clause.

Column Type Description
activity bigint the activity ID associate with the entry
category text the category of the os_log_t used
level text the severity level of the entry
max_rows integer the max number of rows returned (defaults to 100)
Not returned in SELECT * FROM unified_log.
message text composed message
pid bigint the pid of the process that made the entry
predicate text predicate to search (see log help predicates), note that this is merged into the predicate created from the column constraints
Not returned in SELECT * FROM unified_log.
process text the name of the process that made the entry
sender text the name of the binary image that made the entry
storage integer the storage category for the entry
subsystem text the subsystem of the os_log_t used
tid bigint the tid of the thread that made the entry
timestamp bigint unix timestamp associated with the entry
timestamp_double text floating point timestamp associated with the entry

Example

select * from unified_log where timestamp > -1 and timestamp > (select unix_time - 86400 from time)
Edit page

Questions?

Ask us anything
{{table.title}} evented table