Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
unified_log
unified_log
Queries the OSLog framework for entries in the system log. The maximum number of rows returned is limited for performance issues. Use timestamp > or >= constraints to optimize query performance. This table introduces a new idiom for extracting sequential data in batches using multiple queries, ordered by timestamp. To trigger it, the user should include the condition "timestamp > -1", and the table will handle pagination. Note that the saved pagination counter is incremented globally across all queries and table invocations within a query. To avoid multiple table invocations within a query, use only AND and = constraints in WHERE clause.
| Column | Type | Description |
|---|---|---|
| activity | bigint | the activity ID associate with the entry |
| category | text | the category of the os_log_t used |
| level | text | the severity level of the entry |
| max_rows | integer | the max number of rows returned (defaults to 100) Not returned in SELECT * FROM unified_log. |
| message | text | composed message |
| pid | bigint | the pid of the process that made the entry |
| predicate | text | predicate to search (see log help predicates), note that this is merged into the predicate created from the column constraintsNot returned in SELECT * FROM unified_log. |
| process | text | the name of the process that made the entry |
| sender | text | the name of the binary image that made the entry |
| storage | integer | the storage category for the entry |
| subsystem | text | the subsystem of the os_log_t used |
| tid | bigint | the tid of the thread that made the entry |
| timestamp | bigint | unix timestamp associated with the entry |
Example
select * from unified_log where timestamp > -1 and timestamp > (select unix_time - 86400 from time)Questions?
SOC2 Type 2
