cmdReporter Wiki

Log Level Documentation

Log Level Information Collection Documentation

Log Level Overview

Level 1Level 2Level 3
Loginsxxx
Authorizationsxxx
User and Group Creation/Modificationxxx
Hardware change eventsxxx
System operation events (misc)xxx
External drive and volume eventsxxx
cmdReporter tamper eventsxxx
Network and firewall changesxxx
System configuration file changesxxx
Process (.app) executionsxxx
Terminal and shell script actionsx*x*x
Any process listening for network connectionsxxx
Gatekeeper Evaluations and Overridesxxx
Xprotect Evaluations and Updatesxxx
All incoming network connectionsxx
User outgoing network connectionsxx
System-level outgoing network connectionsxx
File events on external drivesx
All network trafficx
File event monitoring custom pathsxxx
Application Exclusionsxx-*
User Exclusionsxx-*
x* See expanded log level documentation below for details
-* See log level 3 details below


Log Level 1 Details

This log level is suitable for most computers.

  • Login events
    • Loginwindow, screensaver
    • SSH, Screen sharing, Apple Remote Desktop
    • File sharing, and any other service that requires a local account.
  • Authorizations
    • All system events determining if an authenticated user or process has the permission to perform an action.
  • User and Group account creation or modification
  • Hardware change events
  • System operation events
    • Mounting external or network drives
    • Reboot, shutdown, and OS update events
  • cmdReporter component tamper events
  • Network and firewall configuration changes
  • System configuration file changes
  • Process (.app) executions
    • App execution
    • Any security-relevant actions an app may perform
  • Terminal and Shell script commands
    • Any command run with administrative permissions
    • Any command run as root
    • Any command run where the audit user does not match the effective user
      • Example: sudo -u mark echo "I'm actually Dan"
    • Root or Admin shell script execution and every command the script performs
  • All apps or commands listening for network connections
    • Connections from outside the local computer
    • localhost ignored for level 1
  • File events in system configuration folders
    • Note: defining paths in FileEventInclusionPaths preference key will override the defaults below
    • /etc/pam.d/
    • /Library/Extensions/
    • /var/db/ConfigurationProfiles/
    • /Library/Preferences/
    • /Library/LaunchAgents/
    • /Library/LaunchDaemons/


Log Level 2 Details

Designed for systems handling sensitive information regularly.

  • Everything from log level 1
  • Terminal and Shell script commands
    • Any command run with administrative permissions
    • Any command run as root
    • Any command run where the audit user does not match the effective user
      • Example: sudo -u mark echo "I'm actually Dan"
    • Root or Admin shell script execution and every command the script performs
  • All incoming network communications
  • All outgoing network communications
  • Filtered inter-process communications

Log Level 3 Details

Designed for short-term use on systems that are traveling to high security-risk environments or to confirm a compromise of a system remotely.

Note: All process and user filters are ignored at log level 3. Administrators can expect a much higher log volume than either level one or two.

  • Everything from log level 1 and 2
  • All configured user and process drop filters are ignored, all events logged
    • This includes:
      • Applications Exclusions
      • User Exclusions
  • Full terminal and shell script history
    • Any user, any permission level

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.