Specifically, right now we are trying to audit queries run from the management UI or fleetctl. I see logging for the queries themselves, but these logs don't contain the user who initiated the query. Is that possible to add?

Usernames are logged for live queries in Fleet 2.5.0+ Example:

level=info ts=2020-05-29T20:44:18.498455Z component=service method=NewDistributedQueryCampaign err=null user=admin sql="SELECT * FROM foobar" numHosts=8 took=46.944228ms

Ooooo. Shiny. Seems like this may have been a configuration issue on our end then. Thanks for the tip Zach.

Very shiny. Thanks to @TheHellaJeff for putting in that one 🙂

is this in the status.log , right?

This is in the Fleet server log.

yes, I mean status log file on fleet server

FWIW, these are also recorded in the

queries

table in the database in versions previous to 2.5.0 if you need to pull that info