cmdReporter Wiki

Open navigation

Unified Log Collection

Unified Log Level Details

cmdReporter collects logs from the default and info level of unified logs. In macOS 10.14 and newer these logs are streamed in real-time and in 10.12-10.13 unified logs are collected on an hourly basis due to limitations of the macOS frameworks involved.

<private> Data in Logs

See this article for how to enable (show) private data in unified logs. https://wiki.cmdreporter.com/support/solutions/articles/12000067099-unified-logs-enable-show-private-data

Preference Keys

The preference key UnifiedLogPredicates is an array of strings. Each string defines a search predicate that defines which unified log events will be collected and transmitted. Multiple searches can be defined but caution should be used to not overly impact system performance, a maximum of 5 searches is recommended.

<key>UnifiedLogPredicates</key>
<array>
  <string>(senderImagePath == "/usr/libexec/syspolicyd") &amp;&amp; ((formatString BEGINSWITH "GK") || (formatString LIKE "Gatekeeper"))</string>
  <string></string>
</array>


Special Modifications to Predicate Searches

Unified log search syntax contains characters that are illegal in configuration profiles (xml). To prevent problems with the configuration profile there are 3 characters that need to be transformed into element markup per the table below.

CharacterSubstitution Text
&&amp;
<&lt;
>&gt;

For example:

The search 
senderImagePath == "/usr/libexec/syspolicyd") && ((formatString BEGINSWITH "GK")

Would become
senderImagePath == "/usr/libexec/syspolicyd") &amp;&amp; ((formatString BEGINSWITH "GK")



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.