Description
This pack helps you obtain information from the Apple Unified Logging.
Versions
- 1.0.1.0 - 21 Apr 2023 - Updated OS requirements
- 1.0.0.0 - 22 Jul 2022 - Initial release
This pack helps you obtain information from the Apple Unified Logging.
Returns a list of entries from the 'Apple Unified Log' which match the provided inputs supplied in the Remote Action.This is particularly useful for gathering information from macOS endpoints relating to both the operating system and applications.Any matching information which is found based on the supplied inputs are sent to a text file that can be opened directly from the Finder by leveraging a Custom Action.If no matching items are found in the Unified Logging search criteria then in this instance the file will not be created, or it will not be overwritten in the event there is a pre-existing file. This Remote Action can assist greatly in troubleshooting scenarios by analyzing events or errors that may have occurred in the past.
Run the script as 'local system'. The script should be executed manually.
A timeout of 120 seconds is recommended.
Label | Description |
---|---|
Number Of Events | The number of events that the Remote Action will obtain (up to 1000) |
Output Dir | Location where the output file will be created in the local machine |
Process Name | Name of the target process for which the user wishes to visualize the logs (Optional). This field accepts regular expressions. Use '-' (a dash) if you do not wish to filter by 'ProcessName' |
Provider Name | The Provider Name registered with the event log as source of entries (Optional). This field accepts regular expressions. Use '-' (a dash) if you do not wish to filter by 'ProviderName' |
Provider Category | System-defined value for the provider. Groups the provider logs logically (Optional). This field accepts regular expressions. Use '-' (a dash) if you do not wish to filter by 'ProviderCategory' |
Severity Level | The severity level associated to the entries in the Apple log (Optional). The accepted values are default, release, info, debug, error and fault. Use '-' (a dash) if you do not wish to filter by 'SeverityLevel' |
Event Type | Type of the log event (Optional). The accepted values are activityCreateEvent, activityTransitionEvent, userActionEvent, traceEvent, logEvent, timesyncEvent, signpostEvent, lossEvent and stateEvent. Use '-' (a dash) if you do not wish to filter by 'EventType' |
Message Content | Content which should be inside the log line message (Optional). This field accepts regular expressions. Use '-' (a dash) if you do not wish to filter by 'MessageContent' |
To Date | The latest date a collected event can have in format yyyy/MM/dd (Optional). When this input is provided, the events will be collected from the beginning of time to this date. Use '-' (a dash) if you do not wish to filter by 'ToDate' |
Label | Type | Description |
---|---|---|
Output File | String | Full path of the output file on the local device |
Depending on the number of values used as filters from the input parameters, this Remote Action could potentially cause temporary high CPU usage on the device. Note that filter values are case sensitive.
OutputDirIsFile | |
---|---|
Test Case | The value of the OutputDir parameter is a file present on the device. |
Environment | VM macOS 10.14 EN |
Results | Failure - The value must be a folder, the file name is filled by the Remote Action automatically. |
InformationRetrieval | |
---|---|
Test Case | The RA is configured to retrieve INFO traces from logEvent. |
Environment | VM macOS 10.14 EN |
Results | Success - The information is exported to the file set in OutputFile field. |