mkdir -p /opt/scripts
mkdir -p /var/log/custom
mkdir -p /var/root/Library/LaunchAgents
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/auth-log.sh' -o /opt/scripts/auth-log.sh
chmod +x /opt/scripts/auth-log.sh
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/com.apple.auth-log.plist' -o /var/root/Library/LaunchAgents/com.apple.auth-log.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.auth-log.plist
launchctl start -w /var/root/Library/LaunchAgents/com.apple.auth-log.plist
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/cleanup.sh' -o /opt/scripts/cleanup.sh
chmod +x /opt/scripts/cleanup.sh
curl 'https://gist.githubusercontent.com/heywoodlh/0295135b9e24ec0729571497c9ab5a77/raw/b3032d9a563c956f574176c39cb2a5382f8c579c/com.apple.auth-log.plist' -o /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
sed -i '' s/com.apple.auth-log.plist/com.apple.auth-log-cleanup.plist/g /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
sed -i '' s/auth-log.sh/cleanup.sh/g /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
launchctl start -w /var/root/Library/LaunchAgents/com.apple.auth-log-cleanup.plist
-
-
Save n8felton/5403cfeaa1eacb97a91a5c18631e211d to your computer and use it in GitHub Desktop.
Auth logging on MacOS using the log command
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
##Logs will be separated by date | |
DATE="$(date +%Y-%m-%d)" | |
CUSTOM_LOGFILE="/var/log/custom/"$DATE"-auth.log" | |
##Stream log events with keywords to "$CUSTOM_LOGFILE" | |
log stream -predicate 'eventMessage contains "authd" or eventMessage contains "su" or eventMessage contains "authorizationhost" or eventMessage contains "login" or eventMessage contains "SecurityAgent"' >> "$CUSTOM_LOGFILE" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
## Clean up files older than 7 days to conserve space | |
find /var/log/custom/ -mindepth 1 -mtime +7 -delete |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" | |
"http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>Label</key> | |
<string>com.apple.auth-log.plist</string> | |
<key>ProgramArguments</key> | |
<array> | |
<string>/opt/scripts/auth-log.sh</string> | |
</array> | |
<key>OnDemand</key> | |
<false/> | |
<key>Nice</key> | |
<integer>1</integer> | |
<key>StartInterval</key> | |
<integer>60</integer> | |
</dict> | |
</plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment