https://github.com/osquery/osquery logo
Title
t

tory

05/29/2020, 7:53 PM
Specifically, right now we are trying to audit queries run from the management UI or fleetctl. I see logging for the queries themselves, but these logs don't contain the user who initiated the query. Is that possible to add?
z

zwass

05/29/2020, 8:45 PM
Usernames are logged for live queries in Fleet 2.5.0+ Example:
level=info ts=2020-05-29T20:44:18.498455Z component=service method=NewDistributedQueryCampaign err=null user=admin sql="SELECT * FROM foobar" numHosts=8 took=46.944228ms
t

tory

05/29/2020, 9:17 PM
Ooooo. Shiny. Seems like this may have been a configuration issue on our end then. Thanks for the tip Zach.
z

zwass

05/29/2020, 9:21 PM
Very shiny. Thanks to @TheHellaJeff for putting in that one 🙂
v

vaar

05/29/2020, 9:23 PM
is this in the status.log , right?
z

zwass

05/29/2020, 9:24 PM
This is in the Fleet server log.
v

vaar

05/29/2020, 9:31 PM
yes, I mean status log file on fleet server
👍 1
s

sundsta

05/29/2020, 9:56 PM
FWIW, these are also recorded in the
queries
table in the database in versions previous to 2.5.0 if you need to pull that info