Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello - Anyone know how can I retrieve history of the queries ran by a user via API. I can retrieve saved queries just fine from `/api/v1/fleet/queries` but when someone just runs a query and doesn't saves it.

Hi <@U04S1R47EER>! Recent versions of Fleet include this information in the <https://fleetdm.com/docs/using-fleet/rest-api#activities|activity feed>.

I'll update the exampke response in the docs.

This is what that looks like now:

```  {
            "created_at": "2023-03-02T20:29:18Z",
            "id": 6391,
            "actor_full_name": "r",
            "actor_id": 135,
            "actor_gravatar": "",
            "actor_email": "",
            "type": "live_query",
            "details": {
                "query_sql": "SELECT * FROM managed_policies;",
                "query_name": "Get macOS settings ",
                "targets_count": 35
            }
        },```

Thanks <@U02KY9FDA59> So I guess `"type": "live_query"`  will show a list of all the queries ran(without saving the query) by any user who has access to fleet

Every live query will generate one of the entries above.

Ok got it. So if I run api call today then I should be able to see a list of all queries executed by users from yesterday

I am trying to see how a security analyst can track activity of users running queries in fleet if the query is not saved

That would be the way to do it :slightly_smiling_face:

With Fleet Premium, you also have the option to set up a logging destination for audit logs:

<https://fleetdm.com/docs/using-fleet/audit-activities>

Sweet. We are currently running version 3.13.0 of fleet. Do you have recommendations on which version we should upgrade to?

I'm always going to recommend the most recent version, which is 4.28.0

Hi <@U02KY9FDA59> We are currently running Fleet 3.13.0 and I tried to query `"/api/v1/fleet/activities"`  and I am seeing *"404 page not found"* in return. Is it expected as we are on older version of Fleet and "`"/api/v1/fleet/activities"`"  was not supported on 3.13.0?

Yes, the activity feed was introduced in Fleet v 4.1.0

That makes sense <@U02KY9FDA59> Thanks for the verification.

No problem. If you would like to get Fleet up-to-date, the <https://fleetdm.com/releases|release articles> have a lot of great information about new and improved features. You're also welcome to ask if you have any questions :)

That sounds good. Will do that :slightly_smiling_face: