Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
i
Ibra
08/18/2022, 12:57 PMHI All,
there is a way/query to know user last logon/logout?
in a few words I want to run a query through the gui, where I see the last time the pc was online and the last time the pc went offline to track pc on and off times
j
Jason
08/18/2022, 1:50 PMThere is the
lastuptimei
Ibra
08/18/2022, 1:53 PMthanks @Jason i have found the uptime table but i can't find last table
g
Guillaume
08/18/2022, 2:00 PMAre we talking about Windows specifically?
i
Ibra
08/18/2022, 2:00 PMyes
g
Guillaume
08/18/2022, 2:01 PMIf so you could use the event log table with eventIDs 6005, 6006, 6013. 6005 = event log starts (boot), 6006 = event log stops (shutdown), 6013 is regular logging of uptime
i
Ibra
08/18/2022, 2:05 PMokay, I point out that I turned on a pc a little while ago, as last fetched it shows 2 minutes ago, however as uptine it still detects 2 days ago and not the last on 2 minutes ago, is this normal?
@Guillaume I'm doing the queries on the db where fleet is installed and not on osquery installed on the endpoints, but I can't find the tables you mentioned
j
Jason
08/18/2022, 2:09 PMAh. That's not quite how it all works
g
Guillaume
08/18/2022, 2:11 PMyou are not querying through the Fleet interface?
the Fleet DB contains some information about hosts, which is updated roughly hourly when hosts are online
i
Ibra
08/18/2022, 2:11 PMno through mysql query on fleet db
g
Guillaume
08/18/2022, 2:12 PMok so the hosts page contains “last restarted” - that should get updated within an hour or so, or you can click refresh on the host page