Hi there, Is there anyway to enhance details in any _events tables? For instance, I configured user events collection and created a test user. the entries in the table were only | 0 | 0 | 15161 | op=add-group | 1116 | /usr/sbin/useradd | ? | pts/3 | 1621952044 | 12789 | | 0 | 0 | 15161 | op=add-user | 1114 | /usr/sbin/useradd | ? | pts/3 | 1621952044 | 12789 | However, if I collect events via osquery daemon, th eentries were quite rich in var/log/osquery/osqueryd.results.log {“name”“pack fim monitoring file events”,“hostIdentifier”“uk-9750-000c29e2a944",“calendarTime”:“Tue May 25 133330 2021 UTC”,“unixTime”1621949610,“epoch”0,“counter”0,“numerics”false,“decorations”{“host uuid”“3B004D56-9286-0147-0C53-F51415E2A944”,“username”“saadmin”},“columns”{“action”“CREATED”,“atime”“1621949430",“category”“home”,“ctime”“1621949430",“gid”:“1012",“hashed”:“1",“inode”:“296",“md5”:“620f0b67a91f7f74151bc5be745b7110",“mode”:“0700",“mtime”:“1621949430",“sha1”“1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d”,“sha256”“ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7",“size”:“4096",“target_path”“/home/saadmin”,“time”“1621949430",“transaction_id”:“0",“uid”:“1012"},“action”:“added”}

Hi Deepak, can you elaborate a little bit more on your goal? You would like to see the same data in the osquery shell as you are seeing in the daemon's logs?