According to Apple,
The unified logging system is available in iOS 10.0 and later, macOS 10.12 and later, tvOS 10.0 and later, and watchOS 3.0 and later. This system supersedes the Apple System Logger (ASL) and Syslog APIs.
The AUL lives in the following location(s):
/private/var/db/diagnostics/
/var/db/diagnostics/
And the support files are in:
/var/db/uuidtext
The logs are stored in the tracev3 and timesync DB formats.
You can create a logarchive file of the logs on a live system with:
log collect
You can use the --output parameter to specify output location. The log show command can be used with the *.logarchive file.
Stream live logs either by:
- Console app ("Start streaming")
log stream
The latter can also be used with a predicate to filter the logs in realtime.
Predicates include:
| Predicate | Description |
|---|---|
eventType |
Type of event (e.g., aactivityCreateEvent, activityTransitionEvent, logEvent, signpostEvent, stateEvent, timesyncEvent, traceEvent, userActionEvent) |
eventMessage |
Message text |
messageType |
Message type / verbosity level (e.g., default, info, debug, error, fault) |
process |
Originating process |
processImagePath |
Full path of originating process |
sender |
Originating code (e.g., lib / framework, kext) |
senderImagePath |
Full path of originating code |
subsystem |
os_log(3) API subsystems which comes from the CFBundleIdentifier in applications' respective Info.plist files |
category |
os_log(3) API subsystem categories |
Examples of how to determine the subsystem associated with various apps:
$ defaults read /Applications/Cyberduck.app/Contents/Info.plist CFBundleIdentifier
ch.sudo.cyberduck
$ defaults read /Applications/010\ Editor.app/Contents/Info.plist CFBundleIdentifier
com.SweetScape.010Editor
You can find the subsystems in /System/Library/Preferences/Logging/Subsystems/ and just remove ".plist" from the name to query that subsystem.
Various filters to use with the log utility's --predicate parameter on macOS with potentially associated MITRE ATT&CK tactic (to have some semblance of organization—several of these could be associated with multiple tactics so this is fairly arbitrary). I also include the last version I (or someone else) tested it on and whether there is private data in the log entries:
| Tactic | Filter | Description | Last Tested On | Private Data |
|---|---|---|---|---|
| Initial Access | processImagePath BEGINSWITH "/System/" AND process == "SecurityAgent" AND subsystem == "com.apple.loginwindow" AND eventMessage CONTAINS "Authentication failure" |
Failed password-based login attempt | 12.6 | No |
| Initial Access | processImagePath BEGINSWITH "/System/Library/CoreServices" AND process == "loginwindow" AND subsystem == "com.apple.loginwindow.logging" AND eventMessage CONTAINS "[Login1 doLogin] | shortUsername" |
Successful password-based login | 12.6 | No |
| Initial Access | process == "loginwindow" AND eventMessage CONTAINS[c] "APEventTouchIDNoMatch" |
Failed TouchID login attempt | 12.6 | No |
| Initial Access | process == "loginwindow" AND eventMessage CONTAINS[c] "APEventTouchIDMatch" |
Successful TouchID login | 12.6 | No |
| Initial Access | processImagePath ENDSWITH[c] "loginwindow" and eventMessage CONTAINS[c] "LWScreenLockAuthentication" and eventMessage CONTAINS[c] "screensaver_aks" |
Successful Apple Watch login | 12.6 | No |
| Execution | process == "sudo" && eventMessage CONTAINS[c] "COMMAND" |
Commands executed with sudo privileges |
12.6 | No |
| Execution | subsystem == "com.apple.syspolicy.exec" AND process == "syspolicyd" AND category == "default" |
Gatekeeper scans when file(s) opened | 12.6 | Yes |
| Persistence | subsystem == "com.apple.ManagedClient" AND process == "mdmclient" AND category == "MDMDaemon" and eventMessage CONTAINS "Installed configuration profile:" AND eventMessage CONTAINS "Source: Manual" |
Manual installation of configuration profile | 12.6 | No |
| Persistence | subsystem == "com.apple.opendirectoryd" AND process == "opendirectoryd" AND category == "auth" AND eventMessage CONTAINS "Password changed for" |
Successful local user password change | 12.6 | No |
| Persistence | subsystem == "com.apple.opendirectoryd" AND process == "opendirectoryd" AND category == "auth" AND eventMessage CONTAINS "Failed to change password" |
Failed local user password change | 12.6 | No |
| Persistence | subsystem == "com.apple.networkextension" and process == "nehelper" and eventMessage CONTAINS "DNS settings are enabled" OR subsystem == "com.apple.networkextension" and process == "nesessionmanager" and eventMessage contains "status changed to disconnected, last stop reason Configuration was disabled"' |
Modify DNS settings in network preferences | 12.6 | No |
| Privilege Escalation | processImagePath == "/usr/libexec/opendirectoryd" AND process == "opendirectoryd" AND subsystem == "com.apple.opendirectoryd" AND eventMessage CONTAINS "Password changed for root" |
Enable account or change password for root user | 12.6 | No |
| Defense Evasion | subsystem == "com.apple.launchservices" AND process == "CoreServicesUIAgent" AND category == "uiagent" AND (eventMessage BEGINSWITH "Saving rejection record:" OR eventMessage CONTAINS "Gatekeeper rejection record") |
Gatekeeper rejection / bypass | 12.6 | Yes |
| Defense Evasion | subsystem == "com.apple.ManagedClient" AND process == "mdmclient" AND category == "MDMDaemon" and eventMessage CONTAINS "Removed configuration profile:" AND eventMessage CONTAINS "Source: Manual" |
Manual removal of configuration profile | 12.6 | No |
| Defense Evasion | subsystem == "com.apple.ManagedClient" AND eventMessage CONTAINS "Removed configuration profile: MDM Profile" AND eventMessage CONTAINS "Source: Manual" |
Manual removal of MDM profile | 12.6 | No |
| Lateral Movement | processImagePath BEGINSWITH "/System/Library/CoreServices" AND process == "loginwindow" AND eventMessage CONTAINS[c] "INCORRECT" |
Failed lock screen unlock attempt | 12.6 | No |
| Exfiltration | subsystem == "com.apple.sharing" AND process == "AirDrop" AND processImagePath BEGINSWITH "/System/Library" AND eventMessage BEGINSWITH "Successfully issued sandbox extension for" |
Outbound Airdrop file transfer (shows filename) | 12.6 | No |
| Exfiltration | process == "NetAuthSysAgent" AND subsystem == "com.apple.NetAuthAgent" AND category == "IPC" AND eventMessage BEGINSWITH "URL = " |
Server connection attempts using Finder's "Connect to Server" dialog (e.g., SMB, FTP, etc.) | 12.6 | No |
More coming soon(ish)....
- Apple
- Logging documentation
- Predicate Programming Guide
- SystemLogging — covers
Enable-Private-Datakey
- Joachim Metz: Apple Unified Logging and Activity Tracing formats
- Jamf Unified Log Filters
- cmdSecurity: Unified Logs: How to Enable Private Data
- Jamf: Unified Logs: How to Enable Private Data
- Sarah Edwards / mac4n6
- Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 1] – Converting Log Archive Files on 10.15 (Catalina) (See also Converting Unified Logs – A Great Disturbance In The Force)
- ...
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge
- CrowdStrike: Finding Waldo: Leveraging the Apple Unified Log for Incident Response
- Mandiant: macOS Unified Logs tool
- macOS logging subsystems
- Howard Oakley / Eclectic Light Company
- Skartek: Unified Logging for macOS, an introduction
- Cellebrite
- Yogesh Khatri: UnifiedLogReader tool