Title
#general
n

nick

01/31/2019, 9:59 AM
Does anyone know why the
shell_history
table only only returns logs for the root user?
b

blaedj

01/31/2019, 1:56 PM
is osqueryd is running as root?
8p8c

8p8c

01/31/2019, 4:15 PM
@nick it’s because it gets the .bash_history of the current user unless told otherwise. Perhaps it wouldn’t hurt to make the user column to be required. The usual way to solve this situation is to select on user table and then join to shell_history on uid and you should get all users.
n

nick

01/31/2019, 6:10 PM
Great, thanks all 🙂 I'll take a look tomorrow!
clong

clong

01/31/2019, 8:43 PM
@nick you probably want
SELECT * FROM users JOIN shell_history USING (uid);
n

nick

02/01/2019, 8:24 AM
This doesn't work, because my user isn't in the users table as it's an AD user.