json log format

logga persists json audit logs in the below format.

good to know

Please notice the escaped paths. If you would like an option to disable escaping slashes, please open an issue.

raw

Persistend JSON lines are new line separated. This is how a JSON log line will appear in the log file.

{"log":{"args":["date","+%s"],"audit_token":{"auid":501,"egid":20,"euid":501,"gid":20,"group":"staff","pid":43278,"uid":501,"username":"administrator"},"command":"\/bin\/date","env":["SHELL=\/bin\/zsh","TMPDIR=\/var\/folders\/3l\/dy2p5b3j4zvbdcwx93pdt0mc0000gn\/T\/","USER=administrator","COMMAND_MODE=unix2003","SSH_AUTH_SOCK=\/private\/tmp\/com.apple.launchd.I9GRYMOb0k\/Listeners","__CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0","PATH=\/usr\/bin:\/bin:\/usr\/sbin:\/sbin","LaunchInstanceID=ECB8B003-B5B6-4E39-8A95-F81ACAB4A1CB","__CFBundleIdentifier=com.apple.ScriptEditor.id.touchbar-deflicker","PWD=\/","XPC_FLAGS=0x0","XPC_SERVICE_NAME=application.com.apple.ScriptEditor.id.touchbar-deflicker.37030534.37030542","SHLVL=1","HOME=\/Users\/administrator","LOGNAME=administrator","SECURITYSESSIONID=186a5","_=\/bin\/date"],"parent_audit_token":{"auid":501,"egid":20,"euid":501,"gid":20,"group":"staff","pid":933,"uid":501,"username":"administrator"},"responsible_audit_token":{"auid":501,"egid":20,"euid":501,"gid":20,"group":"staff","pid":933,"uid":501,"username":"administrator"},"tty":"unknown"},"timestamp":"2023-09-17T21:32:56.695Z"}

prettified

Just for showcasing how a JSON line looks like and which fields it stores.

{
  "log": {
    "args": [
      "date",
      "+%s"
    ],
    "audit_token": {
      "auid": 501,
      "egid": 20,
      "euid": 501,
      "gid": 20,
      "group": "staff",
      "pid": 43278,
      "uid": 501,
      "username": "administrator"
    },
    "command": "/bin/date",
    "exec_path": "/bin/date",
    "script": "/bin",
    "cwd": "/Users/administrator",
    "env": [
        "SHELL=\/bin\/zsh","TMPDIR=\/var\/folders\/3l\/dy2p5b3j4zvbdcwx93pdt0mc0000gn\/T\/",
        "USER=administrator",
        "COMMAND_MODE=unix2003",
        "SSH_AUTH_SOCK=\/private\/tmp\/com.apple.launchd.I9GRYMOb0k\/Listeners",
        "__CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0",
        "PATH=\/usr\/bin:\/bin:\/usr\/sbin:\/sbin",
        "LaunchInstanceID=ECB8B003-B5B7-4E39-8A95-F81ACAB4A1CB",
        "PWD=\/",
        "XPC_FLAGS=0x0",
        "SHLVL=1",
        "HOME=\/Users\/administrator",
        "LOGNAME=administrator",
        "SECURITYSESSIONID=186a5a",
        "_=\/bin\/date"
    ],
    "parent_audit_token": {
      "auid": 501,
      "egid": 20,
      "euid": 501,
      "gid": 20,
      "group": "staff",
      "pid": 933,
      "uid": 501,
      "username": "administrator"
    },
    "responsible_audit_token": {
      "auid": 501,
      "egid": 20,
      "euid": 501,
      "gid": 20,
      "group": "staff",
      "pid": 933,
      "uid": 501,
      "username": "administrator"
    },
    "tty": "unknown"
  },
  "timestamp": "2023-09-17T21:32:56.695Z"
}