Access logs
good to know
Although you can choose from multiple formats for audit logs, access logs currently only support JSON formatting.
logga collects three distinct sets of logs:
- Process execution logs, which we simply call
audit logs. - Authentication, privilege escalation, and other system-related audit logs, which we collectively call access logs.
- Unified logs, which filters & persists requested macOS unified logs.
The list below collects all the authentication, privilege escalation, and other system-related event types that trigger access logging. Please note that the timestamp doesn't indicate when the actual login / auth / etc execution happened but rather when the event was triggered. However, the difference should be only a few milliseconds.
- authentication
- open directory (Open Directory based authentication events)
- touchID (Login or prompt authorization via Touch ID)
- token (Cryptographic Token authentication events)
- auto unlock (automatic unlock by Apple Watch)
- screensharing
- attach (Login via VNC)
- detach (Logout via VNC)
- ssh
- login (Login via ssh)
- logout (Logout via ssh)
- /usr/bin/login
- login (Login via the /usr/bin/login utility)
- logout (Logout via the /usr/bin/login utility)
- su (
suinvocations) - sudo (
sudoinvocations) - LoginWindow (Events via the Login UI)
- lock
- unlock
- login
- logout
- mounting
- mount (Mounting filesystems)
- unmount (Unmounting filesystems)
- kexts
- kextload (Loading Legacy Kernel Extensions)
- kextunload (Unloading Legacy Kernel Extensions)
Log structure
Authentication
The outer keys are common for each authentication log types. The data key different: it stores the exect event details.
{
"log": {
"data": {},
"event": "authentication",
"success": true,
"type": "od"
"timestamp": "2023-09-17T21:26:04.716Z"
}timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
Always authentication for authentication events.
success - bool
Whether the authentication event was successful.
type - string
Values: od, token, touchID, auto unlock, unknown
data - object
Different content based on the event types. See the next section for examples.
Example authentication payloads
Open Directory event
{
"log": {
"data": {
"db_path": "/var/db/dslocal/nodes//Default",
"instigator": {
"audit_token": {
"auid": 501,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 40591,
"uid": 0,
"username": "root"
},
"executable": "/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost",
"is_platform_binary": true,
"parent_audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 1,
"uid": 0,
"username": "root"
},
"responsible_audit_token": {
"auid": 501,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 40591,
"uid": 0,
"username": "root"
},
"session_id": 40591,
"team_id": null,
"timestamp": "2023-09-17T21:26:04.695Z",
"tty": "unknown"
},
"node_name": "/Local/Default",
"record_name": "administrator",
"record_type": "Users"
},
"event": "authentication",
"success": true,
"type": "od"
},
"timestamp": "2023-09-17T21:26:04.716Z"
}TouchID event
{
"log": {
"data": {
"has_uid": true,
"instigator": {
"audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 534,
"uid": 0,
"username": "root"
},
"executable": "/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd",
"is_platform_binary": true,
"parent_audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 1,
"uid": 0,
"username": "root"
},
"responsible_audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 534,
"uid": 0,
"username": "root"
},
"session_id": 534,
"team_id": null,
"timestamp": "2023-04-28T17:26:10.683Z",
"tty": "unknown"
},
"mode": "verification",
"uid": 501
},
"event": "authentication",
"success": true,
"type": "touchID"
},
"timestamp": "2023-05-01T20:08:51.192Z"
}Token event
{
"log": {
"data": {
"instigator": {
"audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 534,
"uid": 0,
"username": "root"
},
"executable": "/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd",
"is_platform_binary": true,
"parent_audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 1,
"uid": 0,
"username": "root"
},
"responsible_audit_token": {
"auid": 4294967295,
"egid": 0,
"euid": 0,
"gid": 0,
"group": "wheel",
"pid": 534,
"uid": 0,
"username": "root"
},
"session_id": 534,
"team_id": null,
"timestamp": "2023-04-28T17:26:10.683Z",
"tty": "unknown"
},
"pubkey_hash": "a6a5f64a4a6a89a7",
"token_id": "123",
"kerberos_principal": "administrator"
},
"event": "authentication",
"success": true,
"type": "token"
},
"timestamp": "2023-05-01T20:08:51.192Z"
}Auto Unlock event
{
"log": {
"data": {
"type": "machine_unlock_by_apple_watch",
"username": "administrator"
},
"event": "authentication",
"success": false,
"type": "aurhorized_by_apple_watch"
},
"timestamp": "2023-05-02T20:22:15.702Z"
}Screensharing
Attach
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
auth_type - string
Type of authentication.
auth_username - string
VNC login username.
event - string
screensharing_attach
existing_session - string
True if there was an existing user session.
graphical_session_id - Int
Graphical session id of the screen shared.
session_username - string
Username of the loginwindow session.
source_address - string
Source address of connection.
source_address_type - string
ipv4 or ipv6
success - bool
If the connection was successful.
viewer_apple_id - string
For screen sharing initiated using an Apple ID (e.g., from Messages or FaceTime), this is the viewer's (client's) Apple ID.
Detach
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
screensharing_detach
graphical_session_id - Int
Graphical session id of the screen shared.
source_address - string
Source address of connection.
source_address_type - string
ipv4 or ipv6
viewer_apple_id - string
For screen sharing initiated using an Apple ID (e.g., from Messages or FaceTime), this is the viewer's (client's) Apple ID.
Example Screensharing payloads
Attach
{
"log": {
"auth_type": "DH",
"auth_username": "administrator",
"event": "screensharing_attach",
"existing_session": true,
"graphical_session_id": 257,
"session_username": "administrator",
"source_address": "192.168.1.161",
"source_address_type": "ipv4",
"success": true,
"viewer_apple_id": ""
},
"timestamp": "2023-09-20T21:13:22.055Z"
}Detach
{
"log": {
"event": "screensharing_detach",
"graphical_session_id": 257,
"source_address": "192.168.1.161",
"source_address_type": "ipv4",
"viewer_apple_id": ""
},
"timestamp": "2023-09-20T21:13:31.537Z"
}SSH
login
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
openssh_login
has_uid - bool
Describes whether or not the uid of the user logged in is available.
result_type - string
Result type for the login attempt.
source_address - string
Source address of connection.
source_address_type - string
ipv4 or ipv6
success - bool
True if login was successful.
uid - Int
uid of user that was logged in.
username - String
Username used for login.
logout
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
openssh_logout
source_address - string
Source address of connection.
source_address_type - string
ipv4 or ipv6
uid - Int
uid of user that was logged in.
username - String
Username used for login.
Example SSH payloads
openssh login
{
"log": {
"event": "openssh_login",
"has_uid": true,
"result_type": "auth_fail_public_key",
"source_address": "::1",
"source_address_type": "ipv6",
"success": false,
"uid": 501,
"username": "administrator"
},
"timestamp": "2023-03-29T21:15:35.745Z"
}openssh logout
{
"log": {
"event": "openssh_logout",
"source_address": "::1",
"source_address_type": "ipv6",
"uid": 501,
"username": "administrator"
},
"timestamp": "2023-03-29T21:15:35.745Z"
}/usr/bin/login
login
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
login
has_uid - bool
Describes whether or not the uid of the user logged in is available.
uid - Int
uid of user that was logged in.
success - bool
Whether the authentication event was successful.
username - String
Username used for login.
failure_message - String
The reason the login failed.
logout
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
logout
uid - Int
uid of user that was logged in.
username - String
Username used for login.
Example /usr/bin/login payloads
Login
{
"log": {
"event": "login",
"failure_message": "",
"has_uid": true,
"success": true,
"uid": 501,
"username": "administrator"
},
"timestamp": "2023-03-29T21:16:08.869Z"
}logout
{
"log": {
"event": "logout",
"uid": 501,
"username": "administrator"
},
"timestamp": "2023-03-29T21:16:08.869Z"
}su
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
Always su for su events.
success - bool
Whether su event was successful.
failure_message - string
If success was false, failure message contains the reason.
from_uid - Int
The uid of the user who initiated the su.
from_username - string
If success was true, the user name that is going to be substituted.
has_to_uid - Int
If success was true, describes whether or not the to_uid is interpretable.
#### to_uid - Int
If success was true, the user ID that is going to be substituted.
to_username - string
If success was true, the user name that is going to be substituted.
shell - string
If success was true, the shell is going to execute.
args - string array
If success was true, the arguments are passed into to the shell.
env - string array
If success was true, list of environment variables that is going to be substituted.
Example su payloads
su event
{
"log": {
"event": "su",
"success": true,
"failure_message": "",
"from_uid": 501,
"from_username": "administrator",
"has_to_uid": true,
"to_uid": 1,
"to_username": "root",
"shell": "bash",
"args": [],
"env": []
},
"timestamp": "2023-09-17T21:26:04.716Z"
}sudo
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
Always sudo for sudo events.
success - bool
Whether sudo event was successful.
reject_info - string
If success was false, reject info contains the reason.
from_uid - Int
The uid of the user who initiated the su.
from_username - string
If success was true, the user name that is going to be substituted.
has_from_uid - Int
If success was true, describes whether or not the from_uid is interpretable.
has_to_uid - Int
If success was true, describes whether or not the to_uid is interpretable.
#### to_uid - Int
If success was true, the user ID that is going to be substituted.
to_username - string
If success was true, the user name that is going to be substituted.
command - string
The command to be run.
Example sudo payloads
sudo event
{
"log": {
"event": "sudo",
"success": true,
"reject_info": "",
"from_uid": 501,
"from_username": "administrator",
"has_to_uid": true,
"has_from_uid": true,
"to_uid": 1,
"to_username": "root",
"command": "date",
},
"timestamp": "2023-09-17T21:26:04.716Z"
}LoginWindow
login
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
lw_session_login
username - string
The user logged in via Login Window (Desktop login GUI).
graphical_user_id - string
Graphical session id of the session.
logout
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
lw_session_logout
username - string
The user logged in via Login Window (Desktop login GUI).
graphical_user_id - string
Graphical session id of the session.
lock
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
lw_session_lock
username - string
The user logged in via Login Window (Desktop login GUI).
graphical_user_id - string
Graphical session id of the session.
unlock
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
lw_session_unlock
username - string
The user logged in via Login Window (Desktop login GUI).
graphical_user_id - string
Graphical session id of the session.
Example LoginWindow payloads
lw_session_login
{
"log": {
"event": "lw_session_login",
"username": "administrator",
"graphical_user_id": 15
},
"timestamp": "2023-03-29T21:16:08.869Z"
}lw_session_logout
{
"log": {
"event": "lw_session_logout",
"username": "administrator",
"graphical_user_id": 15
},
"timestamp": "2023-03-29T21:16:08.869Z"
}lw_session_lock
{
"log": {
"event": "lw_session_lock",
"username": "administrator",
"graphical_user_id": 15
},
"timestamp": "2023-03-29T21:16:08.869Z"
}lw_session_unlock
{
"log": {
"event": "lw_session_unlock",
"username": "administrator",
"graphical_user_id": 15
},
"timestamp": "2023-03-29T21:16:08.869Z"
}Mount
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
mount
f_bavail - Int
Free blocks avail to non-superuser.
f_bfree - Int
Free blocks in fs.
f_blocks - Int
Total data blocks in file system.
f_bsize - Int
Fundamental file system block size.
f_ffree - Int
Free file nodes in fs.
f_files - Int
Total file nodes in file system.
f_flags - Int
Copy of mount exported flags.
f_flags_ext - Int
Extended flag.
f_fsid - Int
File system id.
f_fssubtype - Int
Fs sub-type.
f_fstypename - String
Fs type name.
f_iosize - Int
Optimal transfer block size.
f_mntfromname - String
Mounted filesystem.
f_mntonname - String
Directory on which mounted.
f_owner - Int
User that mounted the filesystem.
f_type - Int
Type of filesystem.
Unmount
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
unmount
f_bavail - Int
Free blocks avail to non-superuser.
f_bfree - Int
Free blocks in fs.
f_blocks - Int
Total data blocks in file system.
f_bsize - Int
Fundamental file system block size.
f_ffree - Int
Free file nodes in fs.
f_files - Int
Total file nodes in file system.
f_flags - Int
Copy of mount exported flags.
f_flags_ext - Int
Extended flag.
f_fsid - Int
File system id.
f_fssubtype - Int
Fs sub-type.
f_fstypename - String
Fs type name.
f_iosize - Int
Optimal transfer block size.
f_mntfromname - String
Mounted filesystem.
f_mntonname - String
Directory on which mounted.
f_owner - Int
User that mounted the filesystem.
f_type - Int
Type of filesystem.
Example mount payloads
mount event
{
"log": {
"event": "mount",
"f_bavail": 375960,
"f_bfree": 375960,
"f_blocks": 467752,
"f_bsize": 131072,
"f_ffree": 0,
"f_files": 0,
"f_flags": 2101784,
"f_flags_ext": 0,
"f_fsid": "1677722830",
"f_fstypename": "exfat",
"f_iosize": 131072,
"f_mntfromname": "/dev/disk2s2",
"f_mntonname": "/Volumes/pendrive",
"f_owner": 0,
"f_type": 30
},
"timestamp": "2023-12-19T22:31:08.653Z"
}unmount event
{
"log": {
"event": "unmount",
"f_bavail": 375958,
"f_bfree": 375958,
"f_blocks": 467752,
"f_bsize": 131072,
"f_ffree": 375958,
"f_files": 467752,
"f_flags": 2101784,
"f_flags_ext": 0,
"f_fsid": "1677722830",
"f_fstypename": "exfat",
"f_iosize": 131072,
"f_mntfromname": "/dev/disk2s2",
"f_mntonname": "/Volumes/pendrive",
"f_owner": 0,
"f_type": 30
},
"timestamp": "2023-12-19T22:29:03.821Z"
}Kextload
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
kextload
identifier - string
The signing identifier of the kext being loaded.
Kextunload
timestamp - string
Event timestamp.
log - object
Parent key wrapping the log payload.
event - string
kextunload
identifier - string
The signing identifier of the kext being loaded.
Example kext payloads
kextload event
{
"log": {
"event": "kextload",
"identifier": "com.apple.filesystems.exfat"
},
"timestamp": "2023-12-19T22:31:08.653Z"
}kextunload event
{
"log": {
"event": "kextunload",
"identifier": "com.apple.filesystems.exfat"
},
"timestamp": "2023-12-19T22:31:08.653Z"
}