HI All there is a way query to know user last logon logout i

Question

HI All there is a way query to know user last logon logout in a few words I want to run a query through the gui where I see the last time the pc was online and the last time the pc went offline to track pc on and off times

Jason · Answer

There is the `last` table which shows login information but not logout there is also the `uptime` table that may useful for you

Ibra · Answer

thanks < Jason> i have found the uptime table but i can t find last table

Guillaume · Answer

Are we talking about Windows specifically

Ibra · Answer

yes

Guillaume · Answer

If so you could use the event log table with eventIDs 6005 6006 6013 6005 = event log starts boot 6006 = event log stops shutdown 6013 is regular logging of uptime

Ibra · Answer

okay I point out that I turned on a pc a little while ago as last fetched it shows 2 minutes ago however as uptine it still detects 2 days ago and not the last on 2 minutes ago is this normal

Ibra · Answer

< Guillaume> I m doing the queries on the db where fleet is installed and not on osquery installed on the endpoints but I can t find the tables you mentioned

Jason · Answer

Ah That s not quite how it all works

Guillaume · Answer

you are not querying through the Fleet interface

Guillaume · Answer

the Fleet DB contains some information about hosts which is updated roughly hourly when hosts are online

Ibra · Answer

no through mysql query on fleet db

Guillaume · Answer

ok so the hosts page contains last restarted that should get updated within an hour or so or you can click refresh on the host page