Does anyone know why the

shell_history

table only only returns logs for the root user?

is osqueryd is running as root?

@nick it’s because it gets the .bash_history of the current user unless told otherwise. Perhaps it wouldn’t hurt to make the user column to be required. The usual way to solve this situation is to select on user table and then join to shell_history on uid and you should get all users.

Great, thanks all 🙂 I'll take a look tomorrow!

@nick you probably want

SELECT * FROM users JOIN shell_history USING (uid);

This doesn't work, because my user isn't in the users table as it's an AD user.