Note: All log levels are included with the base cmdReporter license, this is a log verbosity preference only.
Log Level Overview
| Level 0 | Level 1 | Level 2 | Level 3 | |
|---|---|---|---|---|
| Logins | x | x | x | x |
| Authorizations | x | x | x | x |
| User and Group Creation/Modification | x | x | x | x |
| Hardware change events | x | x | x | |
| System operation events (misc) | x | x | x | |
| External drive and volume events | x | x | x | |
| cmdReporter tamper events | x | x | x | x |
| Network and firewall changes | x | x | x | x |
| System configuration file changes | x | x | x | x |
| Process (.app) executions | x | x | x | |
| Terminal and shell script actions | x* | x* | x | |
| Any process listening for network connections | x | x | x | |
| Gatekeeper Evaluations and Overrides | x | x | x | |
| Xprotect Evaluations and Updates | x | x | x | |
| All incoming network connections | x | x | ||
| User outgoing network connections | x | x | ||
| System-level outgoing network connections | x | x | ||
| File events on external drives | x | |||
| All network traffic | x | |||
| File event monitoring custom paths | x | x | x | |
| Application Exclusions | x | x | -* | |
| User Exclusions | x | x | -* | |
| x* See expanded log level documentation below for details | ||||
| -* See log level 3 details below |
Log Level 1 Details
This log level is suitable for most computers.
- Login events
- Loginwindow, screensaver
- SSH, Screen sharing, Apple Remote Desktop
- File sharing, and any other service that requires a local account.
- Authorizations
- All system events determining if an authenticated user or process has the permission to perform an action.
- User and Group account creation or modification
- Hardware change events
- System operation events
- Mounting external or network drives
- Reboot, shutdown, and OS update events
- cmdReporter component tamper events
- Network and firewall configuration changes
- System configuration file changes
- Process (.app) executions
- App execution
- Any security-relevant actions an app may perform
- Terminal and Shell script commands
- Any command run with administrative permissions
- Any command run as root
- Any command run where the audit user does not match the effective user
- Example:
sudo -u mark echo "I'm actually Dan"
- Example:
- Root or Admin shell script execution and every command the script performs
- All apps or commands listening for network connections
- Connections from outside the local computer
- localhost ignored for level 1
- File events in system configuration folders
- Note: defining paths in FileEventInclusionPaths preference key will override the defaults below
/etc/pam.d//Library/Extensions//var/db/ConfigurationProfiles//Library/Preferences//Library/LaunchAgents//Library/LaunchDaemons/
Log Level 2 Details
Designed for systems handling sensitive information regularly.
- Everything from log level 1
- Terminal and Shell script commands
- Any command run with administrative permissions
- Any command run as root
- Any command run where the audit user does not match the effective user
- Example:
sudo -u mark echo "I'm actually Dan"
- Example:
- Root or Admin shell script execution and every command the script performs
- All incoming network communications
- All outgoing network communications
- Filtered inter-process communications
Log Level 3 Details
Designed for short-term use on systems that are traveling to high security-risk environments or to confirm a compromise of a system remotely.
Note: All process and user filters are ignored at log level 3. Administrators can expect a much higher log volume than either level one or two.
- Everything from log level 1 and 2
- All configured user and process drop filters are ignored, all events logged
- This includes:
- Applications Exclusions
- User Exclusions
- This includes:
- Full terminal and shell script history
- Any user, any permission level