Creating a Unified Log Filter

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

The Unified Logging system on macOS provides a central location to store log data on the Mac. The Console and Terminal apps allow users to view, stream, and filter this data on computers to manually troubleshoot errors or detect threats.

You must create a predicate-based filter that collects logs relevant to your organization's needs. The following steps show how to use Console to help you identify criteria that can be added to a predicate filter.

Warning:

Do not create create unified log filters that collect Jamf Protect activities. This generates an infinite logging loop that may cause unexpected behavior.

  1. Open the Console app.
  2. Enter key words that are relevant to logs you want view in the search field.
    Example:

    If you want see all logs related to login events, enter loginwindow.

  3. Analyze the results, and continue to refine your search criteria until only logs relevant to your needs are displayed in Console.
    Example:

    To narrow the criteria to only user logins and not screen unlocks, enter com.apple.sessionDidLogin and choose "Message" from the filter drop down.

  4. Create a predicate-based filter that includes the criteria from step 3.

    This value will be used to configure a Unified Log Filter in Jamf Protect.

    Example:
    The search criteria that filters for user logins in step 3 is written like the following in predicate syntax: 
    processImagePath contains "loginwindow" and eventMessage contains "com.apple.sessionDidLogin

    For a full list of supported keys that can be used in a predicate-based filter, execute the following command: log help predicates

  5. (Optional) Confirm that your filter is correct.
    1. Use Terminal to execute a log command that uses your predicate.
      Example: 
      log show --predicate 'processImagePath contains "loginwindow" and eventMessage contains "com.apple.sessionDidLogin"'
    2. Complete a task on your computer that will generate a log that meets your filter criteria.
    3. Confirm that the task generates a new log entry in your Terminal session.

You now have a predicate-based filter that can be used to configure a Unified Log Filter in Jamf Protect.