mirror of
https://github.com/valitydev/osquery-1.git
synced 2024-11-06 17:45:22 +00:00
25 lines
1.6 KiB
Plaintext
25 lines
1.6 KiB
Plaintext
table_name("asl")
|
|
description("Queries the Apple System Log data structure for system events.")
|
|
|
|
# Columns pulled from asl.h
|
|
# Descriptions mostly as retrieved from asl.h, some with clarifications
|
|
schema([
|
|
Column("time", INTEGER, "Unix timestamp. Set automatically", additional=True),
|
|
Column("time_nano_sec", INTEGER, "Nanosecond time.", additional=True),
|
|
Column("host", TEXT, "Sender's address (set by the server).", additional=True),
|
|
Column("sender", TEXT, "Sender's identification string. Default is process name.", additional=True),
|
|
Column("facility", TEXT, "Sender's facility. Default is 'user'.", additional=True),
|
|
Column("pid", INTEGER, "Sending process ID encoded as a string. Set automatically.", additional=True),
|
|
# UID and GID of 4294967294 have been encountered
|
|
Column("gid", BIGINT, "GID that sent the log message (set by the server).", additional=True),
|
|
Column("uid", BIGINT, "UID that sent the log message (set by the server).", additional=True),
|
|
Column("level", INTEGER, "Log level number. See levels in asl.h.", additional=True),
|
|
Column("message", TEXT, "Message text.", additional=True),
|
|
Column("ref_pid", INTEGER, "Reference PID for messages proxied by launchd", additional=True),
|
|
Column("ref_proc", TEXT, "Reference process for messages proxied by launchd", additional=True),
|
|
# Gather anything extra into the "extra" column
|
|
Column("extra", TEXT, "Extra columns, in JSON format. Queries against this column are performed entirely in SQLite, so do not benefit from efficient querying via asl.h."),
|
|
])
|
|
|
|
implementation("asl@genAsl")
|