Audit Log Levels
You can determine the audit log verbosity by configuring the Compliance Reporter audit log level that meets the needs of your organization. The following table describes what information is collected and reported in the Compliance Reporter audit logs depending on the configured log level.
- Level 0—
Suitable for when you only want to monitor authentication events and administrative change events, such as when a low-level kernel setting, firewall status, or user object is changed on a computer.Important:
Level 0 does not meet auditing requirements for security benchmarks.
- Level 1—Suitable for most computers.
- Level 2—Suitable for computers handling sensitive information regularly.
- Level 3—Suitable for short-term use on computers that are traveling to high-risk security environments or to confirm a compromise of a system remotely.
Setting | Level 0 | Level 1 | Level 2 | Level 3 |
---|---|---|---|---|
Log in events
| ![]() | ![]() | ![]() | ![]() |
Authorizations Includes all system events determining if an authenticated user or process has the permission to perform an action | ![]() | ![]() | ![]() | ![]() |
User and group creation or modification | ![]() | ![]() | ![]() | ![]() |
Hardware change events | ![]() | ![]() | ![]() | |
Other system operation events Includes mounting external or network drives and reboot, shutdown, and macOS updates | ![]() | ![]() | ![]() | |
External drive and volume events | ![]() | ![]() | ![]() | |
Compliance Reporter tamper events | ![]() | ![]() | ![]() | ![]() |
Network and firewall changes | ![]() | ![]() | ![]() | ![]() |
System configuration file changes | ![]() | ![]() | ![]() | ![]() |
Application process executions Includes app execution and any security actions an app performs. | ![]() | ![]() | ![]() | |
Terminal and shell script actions Includes commands executed by the following: root, administrator, impersonated user, and root or administrator shell script commands. | ![]() | ![]() | ![]() | |
Processes listening for network connections Includes all connections from outside computers. | ![]() | ![]() | ![]() | |
Gatekeeper evaluations and overrides | ![]() | ![]() | ![]() | |
XProtect evaluations and updates | ![]() | ![]() | ![]() | |
Incoming network connections | ![]() | ![]() | ||
Outgoing user network connections | ![]() | ![]() | ||
System-level outgoing network connections | ![]() | ![]() | ||
File events on external drives Includes the following file events by default, but is overridden by the
| ![]() | |||
All network traffic | ![]() | |||
File event monitoring custom paths | ![]() | ![]() | ![]() | |
Application Exclusions | ![]() | ![]() | ![]() | |
User Exclusions | ![]() | ![]() | ![]() | |
1 Includes all commands and shell script history, no matter the user or permission level. 2 localhost is ignored. 3 All configured user and process drop filters are ignored and all events are logged. |