-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # Apple Unified Logging (AUL) | ||
|
|
||
| According to [Apple](https://developer.apple.com/documentation/os/logging), | ||
|
|
||
| >The unified logging system is available in iOS 10.0 and later, macOS 10.12 and later, tvOS 10.0 and later, and watchOS 3.0 and later. This system supersedes the | ||
| Apple System Logger (ASL) and Syslog APIs. | ||
|
|
||
| ## Preservation | ||
|
|
||
| The AUL lives in the following locations: | ||
|
|
||
| /private/var/db/diagnostics/ | ||
| /var/db/diagnostics/ | ||
|
|
||
| And the support files are in: | ||
|
|
||
| /var/db/uuidtext | ||
|
|
||
| The logs are stored in the [tracev3](https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc#tracev3_file_format) and [timesync DB](https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc#timesync_database_file_format) formats. | ||
|
|
||
| You can create a `logarchive` file of the logs on a live system with: | ||
|
|
||
| log collect | ||
|
|
||
| The `log show` command can be used with the `*.logarchive` file. | ||
|
|
||
| ## Live logs | ||
|
|
||
| Stream live logs either by: | ||
|
|
||
| - Console app ("Start streaming") | ||
| - `log stream` | ||
|
|
||
| The latter can also be used with a predicate to filter the logs in realtime. | ||
|
|
||
| ## Predicate Reference | ||
|
|
||
| Various predicates to use with the `log` utility on macOS. | ||
|
|
||
| **Predicate** | **Description** | **Version Tested** | ||
| ------------- | --------------- | ------------------ | ||
| `process =="sudo" && eventMessage contains "COMMAND"` | Commands executed with `sudo` privilege | 12.6 | ||
|
|
||
| *More coming soon(ish)....* | ||
|
|
||
| ## References | ||
|
|
||
| - [Apple: Logging documentation](https://developer.apple.com/documentation/os/logging) | ||
| - [Apple: Predicare Programming Guide](https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html) | ||
| - [Joachim Metz: Apple Unified Logging and Activity Tracing formats](https://github.com/libyal/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc) | ||
| - [CrowdStrike: Finding Waldo: Leveraging the Apple Unified Log for Incident Response](https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/) | ||
| - [Mandiant: macOS Unified Logs tool](https://github.com/mandiant/macos-UnifiedLogs) | ||
| - Howard Oakley / Eclectic Light Company | ||
| - macOS Unified log — [Part 1: Why, what, and how](https://eclecticlight.co/2018/03/19/macos-unified-log-1-why-what-and-how/) | [Part 2: Content and extraction](https://eclecticlight.co/2018/03/20/macos-unified-log-2-content-and-extraction/) | [Part 3: Finding your way](https://eclecticlight.co/2018/03/21/macos-unified-log-3-finding-your-way/) | ||
| - [Log literacy: all about the log](https://eclecticlight.co/2023/02/08/log-literacy-all-about-the-log/) | ||
| - [Skartek: Unified Logging for macOS, an introduction](https://skartek.dev/2022/05/04/unified-logging-for-macos-an-introduction/) | ||
| - Cellebrite | ||
| - [How to Add Unified Logs to Cellebrite Inspector](https://cellebrite.com/en/adding-unified-logs-to-cellebrite-inspector/) | ||
| - [Making Sense of Unified Logs in Cellebrite Inspector](https://cellebrite.com/en/making-sense-of-unified-logs-in-cellebrite-inspector/) | ||
| - [Converting Unified Logs – A Great Disturbance In The Force](https://cellebrite.com/en/converting-unified-logs-a-great-disturbance-in-the-force/) | ||
| - [*Archived Blackbag article:* Accessing Unified Logs from an Image](https://web.archive.org/web/20200925031904/https://www.blackbagtech.com/blog/accessing-unified-logs-image/) | ||
| - [Yogesh Khatri: UnifiedLogReader tool](https://github.com/ydkhatri/UnifiedLogReader) | ||
| - Sarah Edwards / mac4n6 | ||
| - [Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0]](https://www.mac4n6.com/blog/2020/4/19/introducing-analysis-of-apple-unified-logs-quarantine-edition-entry-0) | ||
| - [Analysis of Apple Unified Logs: Quarantine Edition [Entry 1] – Converting Log Archive Files on 10.15 (Catalina)](https://www.mac4n6.com/blog/2020/4/20/analysis-of-apple-unified-log-quarantine-edition-entry-1-converting-log-archive-files-on-1015-catalina) (*See also* [Converting Unified Logs – A Great Disturbance In The Force](https://cellebrite.com/en/converting-unified-logs-a-great-disturbance-in-the-force/)) | ||
| - [...](https://www.mac4n6.com/blog/category/logs) | ||
| - [Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge](https://www.mac4n6.com/blog/2020/4/20/analysis-of-apple-unified-log-quarantine-edition-entry-1-converting-log-archive-files-on-1015-catalina) |