FleetDM
Collect activity audit logs from your Fleet instance to monitor device management actions, software installs, and administrative changes.
Ingest Methods
RunReveal offers the following ways to ingest FleetDM logs:
API Polling
RunReveal polls the Fleet activities API (GET /api/v1/fleet/activities) every 5 minutes using a Fleet API token. On the first poll, RunReveal backfills the last 24 hours of activity; subsequent polls fetch only new events.
To connect Fleet you need two things: your Fleet URL and a Fleet API token.
Step 1: Get a Fleet API token
Use an API-only user for this integration. A regular Fleet user's API token expires frequently for security reasons, which will silently stop log collection. An API-only user's token does not expire.
Create an API-only user and copy its token using either the Fleet UI or fleetctl:
Fleet UI
- In Fleet, go to Settings → Users
- Click Create user
- Select the API-only user option and give it a name (e.g.
RunReveal) - The user only needs read access to activities — the default Observer role is sufficient
- Create the user, then copy the generated API token (it is shown only once)
fleetctl (requires admin)
Press any key when prompted to reveal the token, then copy it. You can retrieve the token again later via the login API.
If your Fleet users sign in with SSO or MFA, you can alternatively retrieve a token from My account → Get API token (/profile) in the Fleet UI. Note that this token still expires; the API-only user above is recommended for long-lived integrations.
Step 2: Add the source in RunReveal
- Go to Sources in RunReveal
- Click the FleetDM source tile
- Give it a Source Name
- Enter your Fleet URL — the base URL of your Fleet instance (self-hosted or managed cloud), e.g.
https://your-fleet-instance.com - Paste the API Token from Step 1
- Click Connect Source
RunReveal polls the Fleet API every 5 minutes. Historical logs from the last 24 hours are backfilled on first sync.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: fleetdm_logs (44 columns)
fleetdm_logs (44 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
| Column | Type |
|---|---|
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
activityId | String |
activityType | String |
createdAt | String |
actorFullName | String |
actorId | String |
actorEmail | String |
fleetInitiated | Bool |
details | String |