Hi, previously it was possible to have server logs of user actions in the UI (login, making query, changing packs, etc.), these were shown in Fleet service stdout. For example:

{
  "component": "service",
  "err": null,
  "method": "NewQuery",
  "name": "hvhgvghvgh",
  "sql": "SELECT * FROM osquery_info",
  "took": "4.327208ms",
  "ts": "2020-02-05T15:19:07.729088806Z",
  "user": "jean"
}

However, I cannot see them anymore, did something changed in more recent versions? 🙄 or maybe I’m missing some configuration…

hi! we did change how we are handling logging, but the change is intended to be backwards compatible. What version of fleet are you running?

mmh, is there any configuration required?

if you're looking for "NewQuery", yes, that is not there anymore. We are logging the endpoint called along with the metadata

you mean something like this?

{
    "hostIdentifier": "xxx",
    "calendarTime": "Mon Sep  6 16:29:23 2021 UTC",
    "unixTime": "1630945763",
    "severity": "0",
    "filename": "distributed.cpp",
    "line": "121",
    "message": "Executing distributed query: fleet_distributed_query_1990: SELECT * FROM socket_events WHERE remote_address = \"1.1.1.1\";",
    "version": "4.7.0",
decorators...

that looks like a osquery log, the log you mentioned above and the ones I was mentioning changed are fleet serve logs

oh found it… 😅 ! many thanks, I just have to account the small change

{
  "component": "http",
  "level": "info",
  "method": "POST",
  "numHosts": 1,
  "query_id": null,
  "sql": "SELECT * FROM osquery_info",
  "took": "43.706372ms",
  "ts": "2021-09-10T18:35:42.909882382Z",
  "uri": "/api/v1/fleet/queries/run",
  "user": "jean"
}