cmdReporter Wiki

Open navigation

Audited Activities Overview

Data Collected by cmdReporter

Audit Level 1

Account Changes

  • User account
    • Creation
    • Modification
    • Deletion
  • Group creation
    • Creation
    • Modification
    • Deletion

Audio / Visual Device Activity

  • Addition / Removal of any video or audio devices
  • Video Device
    • Activations (live preview)
    • Recording
  • Audio Device
    • Activations (live preview)
    • Recording

Authentication and Authorization

  • Login events regardless of user, method, or protocol
  • All non-login authentication events such as installing software
  • Authorization and capability checks

Process Executions

  • Applications and scripts run by the user

File Events

  • All file modifications in monitored directories


  • Version Information
  • Manual Gatekeeper Bypasses (opt + open)
  • Log of quarantined files

Hardware Changes

  • Addition / Removal of any hardware devices

Network Events

  • Incoming external connections

Network Listening Ports Events

  • New processes listening on network ports
  • Both bsd (inter-process) and IP listening ports are logged


  • All print activity


  • Creation or modification of any login session
  • Sessions created for background processes are also logged

Unified Logs

  • Any custom predicates defined in the preference file


  • Definition version information on cmdReporter start and xprotect version change
  • Xprotect evaluation results

Audit Level 2 adds

Process Executions

  • Applications and scripts run by background processes

Network Events

  • Outgoing network connections

Audit Level 3

Inter-process communications

  • bsd port activity
  • XPC activity

Note: Exclusion filters are ignored at audit level 3

Ignored Filters:
  • AuditEventExcludedProcesses
  • AuditEventLogVerboseMessages
  • AuditEventExcludedUsers

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.