Unified Log Level Details
cmdReporter collects logs from the default and info level of unified logs. In macOS 10.14 and newer these logs are streamed in real-time and in 10.12-10.13 unified logs are collected on an hourly basis due to limitations of the macOS frameworks involved.
<private> Data in Logs
See this article for how to enable (show) private data in unified logs. https://wiki.cmdreporter.com/support/solutions/articles/12000067099-unified-logs-enable-show-private-data
Preference Keys
The preference key UnifiedLogPredicates is an array of strings. Each string defines a search predicate that defines which unified log events will be collected and transmitted. Multiple searches can be defined but caution should be used to not overly impact system performance, a maximum of 5 searches is recommended.
<key>UnifiedLogPredicates</key> <array> <string>(senderImagePath == "/usr/libexec/syspolicyd") && ((formatString BEGINSWITH "GK") || (formatString LIKE "Gatekeeper"))</string> <string></string> </array>
Special Modifications to Predicate Searches
Unified log search syntax contains characters that are illegal in configuration profiles (xml). To prevent problems with the configuration profile there are 3 characters that need to be transformed into element markup per the table below.
Character | Substitution Text |
---|---|
& | & |
< | < |
> | > |
For example:
The search senderImagePath == "/usr/libexec/syspolicyd") && ((formatString BEGINSWITH "GK") Would become senderImagePath == "/usr/libexec/syspolicyd") && ((formatString BEGINSWITH "GK")