Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
Deepak
05/25/2021, 5:58 PMHi there, Is there anyway to enhance details in any _events tables? For instance, I configured user events collection and created a test user. the entries in the table were only
| 0 | 0 | 15161 | op=add-group | 1116 | /usr/sbin/useradd | ? | pts/3 | 1621952044 | 12789 |
| 0 | 0 | 15161 | op=add-user | 1114 | /usr/sbin/useradd | ? | pts/3 | 1621952044 | 12789 |
However, if I collect events via osquery daemon, th eentries were quite rich in var/log/osquery/osqueryd.results.log
{“name”:“pack_fim-monitoring_file_events”,“hostIdentifier”:“uk-9750-000c29e2a944",“calendarTime”:“Tue May 25 13:33:30 2021 UTC”,“unixTime”:1621949610,“epoch”:0,“counter”:0,“numerics”:false,“decorations”:{“host_uuid”:“3B004D56-9286-0147-0C53-F51415E2A944”,“username”:“saadmin”},“columns”:{“action”:“CREATED”,“atime”:“1621949430",“category”:“home”,“ctime”:“1621949430",“gid”:“1012",“hashed”:“1",“inode”:“296",“md5”:“620f0b67a91f7f74151bc5be745b7110",“mode”:“0700",“mtime”:“1621949430",“sha1”:“1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d”,“sha256”:“ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",“size”:“4096",“target_path”:“/home/saadmin”,“time”:“1621949430",“transaction_id”:“0",“uid”:“1012"},“action”:“added”}
t
theopolis
05/30/2021, 3:04 AMHi Deepak, can you elaborate a little bit more on your goal?
You would like to see the same data in the osquery shell as you are seeing in the daemon's logs?