Due to the way some applications choose to check status of connections, configurations, or files a single command may be called multiple times per second causing high log volume.
High log volume is rare, but the typical applications we see causing high volume are security applications or applications that do not use the proper macOS APIs to find information.
How to find high-volume applications
The commands below use binaries shipped with macOS by default, no software needs to be installed for these to work.
# Count and sort the subject.process_name fields on a problem device # This is the most specific filter and should be considered # before using responsible_process_name tail -1000 /var/log/cmdReporter.log | egrep -o -e '"process_name":"([^"]+)'| cut -d'"' -f4 | sort | uniq -c | sort -h # Count and sort the subject.responsible_process_name on a problem device # Use this when subject.process_name does not have # a single application causing high log volume tail -1000 /var/log/cmdReporter.log | egrep -o -e '"responsible_process_name":"([^"]+)'| cut -d'"' -f4 | sort | uniq -c | sort -h
The output of each of these commands will appear something like this:
12 /System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarAgent 15 /system/applications/mail.app/contents/macos/mail 16 /usr/bin/grep 22 /usr/libexec/trustd 37 /System/Applications/Mail.app/Contents/MacOS/Mail 898 /usr/sbin/mdnsresponder
In the above example an organization should consider adding /usr/sbin/mDNSResponder to the AuditEventExcludedProcesses preference and reloading cmdReporter.