Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Where would I find the logs for fleet logins, user creation, query creation, execution, etc? (to forward to a SIEM)

Hi, <@U02NCP0SC7M>! The `/activities` endpoint in the <https://fleetdm.com/docs/using-fleet/rest-api#activities|REST API> has information on actions taken on packs, policies and queries. You may need to go to the Fleet server's logs (how to get to those will depend a bit on your setup). I'm checking to see if there are alternatives for that and will get back to you with any updates.

Thanks so much!
Where would the fleet servers logs get written to?

Apparently you're thinking along the same lines as <@U4MF4P00M>. He just created a ticket for <https://github.com/fleetdm/fleet/issues/6610|adding an admin data stream> with user actions. How the logs are handled depends on your environment. How do you have Fleet deployed?

In that case, you can <https://docs.docker.com/config/containers/logging/configure/|configure the container> to manage the logs in whatever way works best for you!

Yes but those logs are super verbose. I really like the idea from above, so Ill keep an eye on that.

Yeah, there's definitely a lot of information coming through the pipeline. I'll make a note to follow up with you if/when we get a timeline on that feature request.