mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
4784217b57
Updating documentation of Fleetd tables as part of the oncall duty. Updating the json used by Fleet using the following command: ```sh cd website ./node_modules/sails/bin/sails.js run generate-merged-schema ``` Samples:   @mikermcneil @eashaw: `generate-merged-schema` generates a different output every time it's executed. Guess: It seems it should sort the output lexicograhically?
84 lines
3.3 KiB
YAML
84 lines
3.3 KiB
YAML
name: macadmins_unified_log
|
|
notes: This table is not a core osquery table. It is included as part of [Fleetd](https://fleetdm.com/docs/using-fleet/orbit), the osquery manager from Fleet. Fleetd can be built with [fleetctl](https://fleetdm.com/docs/using-fleet/adding-hosts#osquery-installer).
|
|
description: Allows querying macOS [unified logs](https://developer.apple.com/documentation/os/logging).
|
|
platforms:
|
|
- darwin
|
|
evented: false
|
|
examples: >-
|
|
Select the log entries that happened during the last minute and are related to `LaunchServices`. Convert the UNIX time to a human readable format, and the signature table to verify its cryptographic signature.
|
|
|
|
```
|
|
|
|
SELECT u.category, u.event_message, u.process_id, datetime(u.timestamp, 'unixepoch') AS human_time, p.path, s.signed, s.identifier, s.authority FROM macadmins_unified_log u JOIN processes p ON u.process_id = p.pid JOIN signature s ON p.path = s.path WHERE u.sender_image_path LIKE '%LaunchServices%' AND last = "1m";
|
|
|
|
```
|
|
columns:
|
|
- name: trace_id
|
|
description: The ID of a trace event
|
|
required: false
|
|
type: string
|
|
- name: event_type
|
|
description: The type of event, this can be logEvent, signpostEvent or stateEvent.
|
|
required: false
|
|
type: string
|
|
- name: format_string
|
|
description: The format string used to convert variable content into a string for output.
|
|
required: false
|
|
type: string
|
|
- name: activity_identifier
|
|
description: The identifier of the log activity.
|
|
required: false
|
|
type: int
|
|
- name: subsystem
|
|
description: The subsystem responsible for this activity.
|
|
required: false
|
|
type: text
|
|
- name: category
|
|
description: The category of the log activity.
|
|
required: false
|
|
type: text
|
|
- name: thread_id
|
|
description: The ID of the thread that originated the event.
|
|
required: false
|
|
type: bigint
|
|
- name: sender_image_uuid
|
|
description: The UUID of the library, framework, kernel extension, or mach-o image, that originated the event.
|
|
required: false
|
|
type: string
|
|
- name: sender_image_path
|
|
description: The full path of the library, framework, kernel extension, or mach-o image, that originated the event.
|
|
required: false
|
|
type: string
|
|
- name: boot_uuid
|
|
description: The boot UUID of the event.
|
|
required: false
|
|
type: string
|
|
- name: process_id
|
|
description: Process ID of the process that generated this log item, which can be joined to multiple other tables including a *PID*.
|
|
required: false
|
|
type: bigint
|
|
- name: process_image_path
|
|
description: The full path of the process that originated the event.
|
|
required: false
|
|
type: string
|
|
- name: timestamp
|
|
description: Timestamp in [UNIX time format](https://en.wikipedia.org/wiki/Unix_time).
|
|
required: false
|
|
type: bigint
|
|
- name: event_message
|
|
description: The message of the log entry.
|
|
required: false
|
|
type: string
|
|
- name: sender_program_counter
|
|
description: The program counter of the library, framework, kernel extension, or mach-o image, that originated the event.
|
|
required: false
|
|
type: uint
|
|
- name: parent_activity_identifier
|
|
description: ID of the parent activity
|
|
required: false
|
|
type: uint
|
|
- name: log_level
|
|
description: The log level of this item, such as `default`, `info`, `fault`, etc.
|
|
required: false
|
|
type: text
|