Unified Log Level Details

cmdReporter collects logs from the default and info level of unified logs. In macOS 10.14 and newer these logs are streamed in real-time and in 10.12-10.13 unified logs are collected on an hourly basis due to limitations of the macOS frameworks involved.

<private> Data in Logs

See this article for how to enable (show) private data in unified logs. https://wiki.cmdreporter.com/support/solutions/articles/12000067099-unified-logs-enable-show-private-data

Preference Keys

The preference key UnifiedLogPredicates is an array of strings. Each string defines a search predicate that defines which unified log events will be collected and transmitted. Multiple searches can be defined but caution should be used to not overly impact system performance, a maximum of 5 searches is recommended.

<key>UnifiedLogPredicates</key>
<array>
  <string>(senderImagePath == "/usr/libexec/syspolicyd") &amp;&amp; ((formatString BEGINSWITH "GK") || (formatString LIKE "Gatekeeper"))</string>
  <string></string>
</array>

Special Modifications to Predicate Searches

Unified log search syntax contains characters that are illegal in configuration profiles (xml). To prevent problems with the configuration profile there are 3 characters that need to be transformed into element markup per the table below.

For example:

The search 
senderImagePath == "/usr/libexec/syspolicyd") && ((formatString BEGINSWITH "GK")

Would become
senderImagePath == "/usr/libexec/syspolicyd") && ((formatString BEGINSWITH "GK")