Hey all! is there a way to query logd with osquery? my use case is the following, I want to collect launchd logs from an endpoint and send it to a centralized log management server, however, I want to enrich the launchd events with the username, by using the UID in the launchd event. any thoughts around this? may be a far stretch

Maybe the

unified_log

table from the macadmins extension ? https://github.com/macadmins/osquery-extension

I don’t know if this would capture it, but there is a new

unified_log

table in osquery core now..

unified_log looks awesome! I think at that point I would just need to regex out my uid from the event message, let me see if sql lite supports that functionality

pretty sure it does (include regex)

yep! re: regex https://osquery.readthedocs.io/en/latest/introduction/sql/#string-functions

amazing.

@Brandon Mesa it should be in version 5.5.1, which is marked stable, and there are artifacts on github, but I think uploading those to the website is still pending (manual process)