fleet/schema/tables/macadmins_unified_log.yml

name: macadmins_unified_log
notes: This table is not a core osquery table. It is included as part of [Fleetd](https://fleetdm.com/docs/using-fleet/orbit), the osquery manager from Fleet. Fleetd can be built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Allows querying macOS [unified logs](https://developer.apple.com/documentation/os/logging).
platforms: 
  - darwin
evented: false
examples: >-
  Select the log entries that happened during the last minute and are related to `LaunchServices`. Convert the UNIX time to a human readable format,  and the signature table to verify its cryptographic signature.

  ```
  
  SELECT u.category, u.event_message, u.process_id, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM macadmins_unified_log u JOIN processes p ON u.process_id = p.pid JOIN signature s ON p.path = s.path WHERE u.sender_image_path LIKE '%LaunchServices%' AND last = "1m";
  
  ```
columns:
  - name: trace_id
    description: The ID of a trace event
    required: false
    type: text
  - name: event_type
    description: The type of event, this can be logEvent, signpostEvent or stateEvent.
    required: false
    type: text
  - name: format_string
    description: The format string used to convert variable content into a string for output.
    required: false
    type: text
  - name: activity_identifier
    description: The identifier of the log activity.
    required: false
    type: int
  - name: subsystem
    description: The subsystem responsible for this activity.
    required: false
    type: text
  - name: category
    description: The category of the log activity.
    required: false
    type: text
  - name: thread_id
    description: The ID of the thread that originated the event.
    required: false
    type: bigint
  - name: sender_image_uuid
    description: The UUID of the library, framework, kernel extension, or mach-o image, that originated the event.
    required: false
    type: text
  - name: sender_image_path
    description: The full path of the library, framework, kernel extension, or mach-o image, that originated the event.
    required: false
    type: text
  - name: boot_uuid
    description: The boot UUID of the event.
    required: false
    type: text
  - name: process_id
    description: Process ID of the process that generated this log item, which can be joined to multiple other tables including a *PID*.
    required: false
    type: bigint
  - name: process_image_path
    description: The full path of the process that originated the event.
    required: false
    type: text
  - name: timestamp
    description: Timestamp in [UNIX time format](https://en.wikipedia.org/wiki/Unix_time).
    required: false
    type: bigint
  - name: event_message
    description: The message of the log entry.
    required: false
    type: text
  - name: sender_program_counter
    description: The program counter of the library, framework, kernel extension, or mach-o image, that originated the event.
    required: false
    type: uint
  - name: parent_activity_identifier
    description: ID of the parent activity
    required: false
    type: uint
  - name: log_level
    description: The log level of this item, such as `default`, `info`, `fault`, etc.
    required: false
    type: text
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`name: macadmins_unified_log`
Add documentation for missing fleetd tables and regenerate JSON (#9960) Updating documentation of Fleetd tables as part of the oncall duty. Updating the json used by Fleet using the following command: ```sh cd website ./node_modules/sails/bin/sails.js run generate-merged-schema ``` Samples: ![Screenshot 2023-02-20 at 17 20 55](https://user-images.githubusercontent.com/2073526/220192112-69a116e4-badb-4328-92d3-9a2a6f8657fe.png) ![Screenshot 2023-02-20 at 17 21 09](https://user-images.githubusercontent.com/2073526/220192117-dfa06c69-2166-47d4-99c3-e108911e2084.png) @mikermcneil @eashaw: `generate-merged-schema` generates a different output every time it's executed. Guess: It seems it should sort the output lexicograhically? 2023-02-22 19:05:36 +00:00			`notes: This table is not a core osquery table. It is included as part of [Fleetd](https://fleetdm.com/docs/using-fleet/orbit), the osquery manager from Fleet. Fleetd can be built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`description: Allows querying macOS [unified logs](https://developer.apple.com/documentation/os/logging).`
Update YAML schema table validation (#9302) Changes: - Added three errors to `website/api/helpers/get-extended-osquery-schema.js` that are thrown if a YAML schema table has: - A `platforms` value that is not an array - A `description` value that is not a string - A `columns` value that is not an array - Updated the `platforms` of YAML schema tables in `schema/tables/` that had string `platforms` values - Regenerated `/schema/osquery_fleet_schema.json` . 2023-01-13 16:16:36 +00:00			`platforms:`
			`- darwin`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`evented: false`
			`examples: >-`
			Select the log entries that happened during the last minute and are related to `LaunchServices`. Convert the UNIX time to a human readable format, and the signature table to verify its cryptographic signature.

			```

			`SELECT u.category, u.event_message, u.process_id, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM macadmins_unified_log u JOIN processes p ON u.process_id = p.pid JOIN signature s ON p.path = s.path WHERE u.sender_image_path LIKE '%LaunchServices%' AND last = "1m";`

			```
			`columns:`
			`- name: trace_id`
			`description: The ID of a trace event`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: event_type`
			`description: The type of event, this can be logEvent, signpostEvent or stateEvent.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: format_string`
			`description: The format string used to convert variable content into a string for output.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: activity_identifier`
			`description: The identifier of the log activity.`
			`required: false`
			`type: int`
			`- name: subsystem`
			`description: The subsystem responsible for this activity.`
			`required: false`
			`type: text`
			`- name: category`
			`description: The category of the log activity.`
			`required: false`
			`type: text`
			`- name: thread_id`
			`description: The ID of the thread that originated the event.`
			`required: false`
			`type: bigint`
			`- name: sender_image_uuid`
			`description: The UUID of the library, framework, kernel extension, or mach-o image, that originated the event.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: sender_image_path`
			`description: The full path of the library, framework, kernel extension, or mach-o image, that originated the event.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: boot_uuid`
			`description: The boot UUID of the event.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: process_id`
			`description: Process ID of the process that generated this log item, which can be joined to multiple other tables including a PID.`
			`required: false`
			`type: bigint`
			`- name: process_image_path`
			`description: The full path of the process that originated the event.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: timestamp`
			`description: Timestamp in [UNIX time format](https://en.wikipedia.org/wiki/Unix_time).`
			`required: false`
			`type: bigint`
			`- name: event_message`
			`description: The message of the log entry.`
			`required: false`
Update Fleet schema overrides (string » text) & regenerate `osquery_fleet_schema.json` (#17884) Changes: - Updated the type of all override columns with `type:string` to `type:text` - Regenerated `osquery_fleet_schema.json` 2024-03-27 13:17:28 +00:00			`type: text`
fix conflicts in docs about unified_logs vs macadmins_unified_logs (#9214) As raised by a community member in [Slack](https://osquery.slack.com/archives/C01DXJL16D8/p1672751794862639), this updates our documentation to account for both `unified_log` and `macadmins_unified_log`. Per my testing, it should also help with the #9158 bug in Fleet's UI. I have updated the columns of `macadmins_unified_log` according to what's in the [source code](https://github.com/macadmins/osquery-extension/blob/50f94d0d7001c048e0a5564911e46d1952420a80/tables/unifiedlog/unified_log.go#L47-L69), and modified the example to work. Since I was there I have also updated the osquery version we use to pull the JSON to `5.6.0` and fixed a small bug related to the examples we pull from there. . . . . . . . Co-authored-by: Mike McNeil <mikermcneil@users.noreply.github.com> 2023-01-10 23:45:53 +00:00			`- name: sender_program_counter`
			`description: The program counter of the library, framework, kernel extension, or mach-o image, that originated the event.`
			`required: false`
			`type: uint`
			`- name: parent_activity_identifier`
			`description: ID of the parent activity`
			`required: false`
			`type: uint`
			`- name: log_level`
			description: The log level of this item, such as `default`, `info`, `fault`, etc.
			`required: false`
			`type: text`