Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
b
Brandon Mesa
09/16/2022, 3:09 PMHey all! is there a way to query logd with osquery? my use case is the following, I want to collect launchd logs from an endpoint and send it to a centralized log management server, however, I want to enrich the launchd events with the username, by using the UID in the launchd event. any thoughts around this? may be a far stretch
j
Jason
09/16/2022, 3:13 PMMaybe the
unified_logs
sharvil
09/16/2022, 3:13 PMI don’t know if this would capture it, but there is a new
unified_logAnd you can perhaps add decorators to enrich those queries
And yep! as @Jason mentions, there is that extension too which has
unified_logb
Brandon Mesa
09/16/2022, 3:19 PMunified_log looks awesome! I think at that point I would just need to regex out my uid from the event message, let me see if sql lite supports that functionality
j
Jason
09/16/2022, 3:20 PMpretty sure it does (include regex)
s
sharvil
09/16/2022, 3:21 PMb
Brandon Mesa
09/16/2022, 3:21 PMamazing.
@sharvil do we have a planned version release for the unified_log table?
s
sharvil
09/16/2022, 3:24 PM@Brandon Mesa it should be in version 5.5.1, which is marked stable, and there are artifacts on github, but I think uploading those to the website is still pending (manual process)