name: macadmins_unified_log
notes: This table is not a core osquery table. It is included as part of [Fleetd](https://fleetdm.com/docs/using-fleet/orbit), the osquery manager from Fleet. Fleetd can be built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
description: Allows querying macOS [unified logs](https://developer.apple.com/documentation/os/logging).
platforms: 
  - darwin
evented: false
examples: >-
  Select the log entries that happened during the last minute and are related to `LaunchServices`. Convert the UNIX time to a human readable format,  and the signature table to verify its cryptographic signature.

  ```
  
  SELECT u.category, u.event_message, u.process_id, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM macadmins_unified_log u JOIN processes p ON u.process_id = p.pid JOIN signature s ON p.path = s.path WHERE u.sender_image_path LIKE '%LaunchServices%' AND last = "1m";
  
  ```
columns:
  - name: trace_id
    description: The ID of a trace event
    required: false
    type: string
  - name: event_type
    description: The type of event, this can be logEvent, signpostEvent or stateEvent.
    required: false
    type: string
  - name: format_string
    description: The format string used to convert variable content into a string for output.
    required: false
    type: string
  - name: activity_identifier
    description: The identifier of the log activity.
    required: false
    type: int
  - name: subsystem
    description: The subsystem responsible for this activity.
    required: false
    type: text
  - name: category
    description: The category of the log activity.
    required: false
    type: text
  - name: thread_id
    description: The ID of the thread that originated the event.
    required: false
    type: bigint
  - name: sender_image_uuid
    description: The UUID of the library, framework, kernel extension, or mach-o image, that originated the event.
    required: false
    type: string
  - name: sender_image_path
    description: The full path of the library, framework, kernel extension, or mach-o image, that originated the event.
    required: false
    type: string
  - name: boot_uuid
    description: The boot UUID of the event.
    required: false
    type: string
  - name: process_id
    description: Process ID of the process that generated this log item, which can be joined to multiple other tables including a *PID*.
    required: false
    type: bigint
  - name: process_image_path
    description: The full path of the process that originated the event.
    required: false
    type: string
  - name: timestamp
    description: Timestamp in [UNIX time format](https://en.wikipedia.org/wiki/Unix_time).
    required: false
    type: bigint
  - name: event_message
    description: The message of the log entry.
    required: false
    type: string
  - name: sender_program_counter
    description: The program counter of the library, framework, kernel extension, or mach-o image, that originated the event.
    required: false
    type: uint
  - name: parent_activity_identifier
    description: ID of the parent activity
    required: false
    type: uint
  - name: log_level
    description: The log level of this item, such as `default`, `info`, `fault`, etc.
    required: false
    type: text