Skip to content

unified_logging

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

unified_logging

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
LoginWindow_logs_and_debugging_tofile
LoginWindow_logs_and_debugging_tofile
 
 
MenuBar_logs_and_debugging_tofile
MenuBar_logs_and_debugging_tofile
 
 
README.md
README.md
 
 
Unlock_logs_and_debugging_tofile
Unlock_logs_and_debugging_tofile
 
 
cloud_idp_authentication_bypass_and_local_user_authentication
cloud_idp_authentication_bypass_and_local_user_authentication
 
 
failed_authentication_via_jc
failed_authentication_via_jc
 
 
local_password_change_via_jc_attempt
local_password_change_via_jc_attempt
 
 
local_password_change_via_jc_failure
local_password_change_via_jc_failure
 
 
local_password_change_via_jc_success
local_password_change_via_jc_success
 
 
local_password_sync_via_jc_menu_bar_failure
local_password_sync_via_jc_menu_bar_failure
 
 
mfa_through_jc_login_window_failure
mfa_through_jc_login_window_failure
 
 
stream_LoginWindow_logs_and_debugging
stream_LoginWindow_logs_and_debugging
 
 
stream_MenuBar_logs_and_debugging
stream_MenuBar_logs_and_debugging
 
 
stream_Unlock_logs_and_debugging
stream_Unlock_logs_and_debugging
 
 

README.md

Unified Log Filtering

The Unified Logging system available in macOS 10.12 or later provides a central location to store log data on the Mac. The Console and Terminal apps allow users to view, stream, and filter this data on computers to manually troubleshoot errors or detect threats.

You can use the example Unified Logging filters to capture data generated by Jamf Connect for discovery or troubleshooting purposes.

With solutions like Jamf Protect, you can use the same predicate-based filter criteria that are often used with the log command to collect relevant log entries from computers and send them to a security information and event management (SIEM) solution or a third party storage solution (e.g., AWS).

Unified Log Filters

This repository contains example predicate filters that can be used to stream telemetry on a variety of events across macOS. Filters are available for macOS users, system and network activity, and third-party applications including Jamf Connect and Jamf Pro.

Implementing Unified Log Filters in Jamf Protect from this repository

If you use Jamf Protect or another tool that can stream Unified Log data to a remote endpoint, see the Jamf Protect GitHub repository for more examples that can be used to stream user or device information.

Enabling Private Data from the Unified Log

By default, the Unified Log will redact information that is considered sensitive, such as computer or user identifiers. In some cases, such as that in which the computer is a institutionally-owned and managed, there may be a need to ascertain such information; therefore, private data logging can be enabled via a configuration profile. See Unified Logs: How to Enable Private Data blog from Jamf to learn more.

Data from the Unified Log on macOS that are redacted can be identified by the presence of <private> in the returned log output. For example, a log entry in the Unified Log for a user password change looks like the following:

Password changed for <private>

The same string returned on a device with private data logging enabled would be:

Password changed for <your-username>

Disclaimer: All resources contained in this repository are provided as-is and are not officially supported by Jamf Support.