General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

Plaintext log file collection

Daniel Griggs

Modified on: Thu, 10 Dec, 2020 at 12:26 PM

Intended use

Collection and monitoring of single-line plaintext log files such as /var/log/system.log or /var/log/install.log.

Behavior

A cmdReporter log event will be created for every line in the specified log file as well as any data appended after the initial collection. The ongoing logging behavior is similar to the /usr/bin/tail -f command.

the specified file does not exist cmdReporter will do nothing until that file appears. After a previously missing file appears cmdReporter will start logging the file's contents as described above.

Preference keys

<key>PlaintextLogCollectionPaths</key>
<array>
    <string>/var/log/jamf.log</string>
</array>

Any file path is considered valid input and does not need to be present at cmdReporter startup to work as intended.

Example Event

{
    "_event_score": 0,
    "header":
    {
        "event_name": "PLAINTEXT_LOG_COLLECTION_EVENT",
        "time_seconds_epoch": 1607559675
    },
    "host_info":
    {
        "host_name": "dan_macbook_pro",
        "host_uuid": "3F6E4B3A-9285-4E7E-9A0C-C3B62DC379DF",
        "osversion": "macOS 11.0.1 (Build 20B29)",
        "primary_mac_address": "38:f9:e8:15:5a:82",
        "serial_number": "C03XY889JHG3"
    },
    "path": ["/private/var/log/jamf.log"],
    "texts": ["Wed Dec 09 19:21:15 dan_macbook_pro jamf[56584]: No patch policies were found."]
}