Skip to content

Instantly share code, notes, and snippets.

@n8felton
Forked from heywoodlh/README.md
Created November 25, 2019 15:08
Show Gist options
  • Save n8felton/5403cfeaa1eacb97a91a5c18631e211d to your computer and use it in GitHub Desktop.
Save n8felton/5403cfeaa1eacb97a91a5c18631e211d to your computer and use it in GitHub Desktop.
Auth logging on MacOS using the log command
mkdir -p /opt/scripts
mkdir -p /var/log/custom
mkdir -p /var/root/Library/LaunchAgents


curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/auth-log.sh' -o /opt/scripts/auth-log.sh
chmod +x /opt/scripts/auth-log.sh


curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/com.apple.auth-log.plist' -o /var/root/Library/LaunchAgents/com.apple.auth-log.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.auth-log.plist
launchctl start -w /var/root/Library/LaunchAgents/com.apple.auth-log.plist

curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/cleanup.sh' -o /opt/scripts/cleanup.sh
chmod +x /opt/scripts/cleanup.sh

curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/com.apple.auth-log.plist' -o /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist

sed -i '' s/com.apple.auth-log.plist/com.apple.auth-log-cleanup.plist/g /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
sed -i '' s/auth-log.sh/cleanup.sh/g /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
launchctl start -w /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
#!/usr/bin/env bash
##Logs will be separated by date
DATE="$(date +%Y-%m-%d)"
CUSTOM_LOGFILE="/var/log/custom/"$DATE"-auth.log"
##Stream log events with keywords to "$CUSTOM_LOGFILE"
log stream -predicate 'eventMessage contains "authd" or eventMessage contains "su" or eventMessage contains "authorizationhost" or eventMessage contains "login" or eventMessage contains "SecurityAgent"' >> "$CUSTOM_LOGFILE"
#!/usr/bin/env bash
## Clean up files older than 7 days to conserve space
find /var/log/custom/ -mindepth 1 -mtime +7 -delete
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.auth-log.plist</string>
<key>ProgramArguments</key>
<array>
<string>/opt/scripts/auth-log.sh</string>
</array>
<key>OnDemand</key>
<false/>
<key>Nice</key>
<integer>1</integer>
<key>StartInterval</key>
<integer>60</integer>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment