Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jean M
09/10/2021, 5:16 PMHi, previously it was possible to have server logs of user actions in the UI (login, making query, changing packs, etc.), these were shown in Fleet service stdout. For example:
{
"component": "service",
"err": null,
"method": "NewQuery",
"name": "hvhgvghvgh",
"sql": "SELECT * FROM osquery_info",
"took": "4.327208ms",
"ts": "2020-02-05T15:19:07.729088806Z",
"user": "jean"
}t
Tomas Touceda
09/10/2021, 5:19 PMhi! we did change how we are handling logging, but the change is intended to be backwards compatible. What version of fleet are you running?
well, not 100% backwards compatible, since we are logging most things with component=http now
but you shouldn't lose any information
j
Jean M
09/10/2021, 5:26 PMmmh, is there any configuration required?
I’m using logging: debug:true and cannot find “NewQuery”-like message in the logs =/
I’m running with fleet 4.2.4
previously I was using a v3
I guess you mean the code that was in, for example, https://github.com/fleetdm/fleet/blob/3.13.0/server/service/logging_queries.go was replaced
t
Tomas Touceda
09/10/2021, 5:37 PMif you're looking for "NewQuery", yes, that is not there anymore. We are logging the endpoint called along with the metadata
j
Jean M
09/10/2021, 6:31 PMyou mean something like this?
{
"hostIdentifier": "xxx",
"calendarTime": "Mon Sep 6 16:29:23 2021 UTC",
"unixTime": "1630945763",
"severity": "0",
"filename": "distributed.cpp",
"line": "121",
"message": "Executing distributed query: fleet_distributed_query_1990: SELECT * FROM socket_events WHERE remote_address = \"1.1.1.1\";",
"version": "4.7.0",
decorators...t
Tomas Touceda
09/10/2021, 6:33 PMthat looks like a osquery log, the log you mentioned above and the ones I was mentioning changed are fleet serve logs
j
Jean M
09/10/2021, 6:40 PMoh found it… 😅 ! many thanks, I just have to account the small change
{
"component": "http",
"level": "info",
"method": "POST",
"numHosts": 1,
"query_id": null,
"sql": "SELECT * FROM osquery_info",
"took": "43.706372ms",
"ts": "2021-09-10T18:35:42.909882382Z",
"uri": "/api/v1/fleet/queries/run",
"user": "jean"
}👍 2