cmdReporter Wiki

Open navigation

Unusually High Log Volume

Likely cause

Due to the way some applications choose to check status of connections, configurations, or files a single command may be called multiple times per second causing high log volume.

High log volume is rare, but the typical applications we see causing high volume are security applications or applications that do not use the proper macOS APIs to find information.

How to find high-volume applications

The commands below use binaries shipped with macOS by default, no software needs to be installed for these to work.

# Count and sort the subject.process_name fields on a problem device
# This is the most specific filter and should be considered 
# before using responsible_process_name

tail -1000 /var/log/cmdReporter.log | egrep -o -e '"process_name":"([^"]+)'| cut -d'"' -f4 | sort | uniq -c | sort -h

# Count and sort the subject.responsible_process_name on a problem device 
# Use this when subject.process_name does not have 
# a single application causing high log volume

tail -1000 /var/log/cmdReporter.log | egrep -o -e '"responsible_process_name":"([^"]+)'| cut -d'"' -f4 | sort | uniq -c | sort -h

The output of each of these commands will appear something like this:

  12 /System/Library/PrivateFrameworks/CalendarAgent.framework/Executables/CalendarAgent
  15 /system/applications/
  16 /usr/bin/grep
  22 /usr/libexec/trustd
  37 /System/Applications/
 898 /usr/sbin/mdnsresponder

In the above example an organization should consider adding /usr/sbin/mDNSResponder to the AuditEventExcludedProcesses preference and reloading cmdReporter.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.