Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

image.png

Hi, I encountered a strange bug - "echo" command is not logged by "process_events" Linux table. Why may it happen?

`echo` is usually a shell built-in command

Thanks for the answer, is there a way to have it logged (maybe using another table or by looking into different processes)?

for shell builtin commands, there is no separate process, it's the shell that's "executing" it directly, perhaps try searching for your shell in the process_events table?

Thanks for your help! :slightly_smiling_face: