Log Collection

This contains all available preferences for the log collection in Compliance Reporter.

Log Collection Preference Keys

Domain
com.jamf.compliancereporter
KeyDescription
UnifiedLogPredicates

Collects logs from the default and info level of unified logs. Each string defines a search predicate that determines which unified log events will be collected and transmitted to the SIEM. When defining search predicates, keep the following in mind:

  • You can define multiple searches in a string. It it recommended that you only define a maximum of five searches per string because more than five searches can cause a performance degradation.

  • Special characters must be formatted as an HTML entity name.

Note:

In macOS 10.14 or later, logs are streamed in real-time. In macOS 10.13 or earlier, unified logs are collected on an hourly basis.

<key>UnifiedLogPredicates</key>
<array>
  <string>(senderImagePath == "/usr/libexec/syspolicyd") &amp;&amp; ((formatString BEGINSWITH "GK") || (formatString LIKE "Gatekeeper"))</string>
  <string></string>
</array>
PlaintextLogCollectionPaths

Continuously collects and monitors single-line plain text log files. For example: /var/log/system.log or /var/log/install.log. A Compliance Reporter log event will be created for every line in the specified log file as well as any data appended after the initial collection. If the specified file does not exist, Compliance Reporter will only start logging the file contents once the file appears. Any file path is valid and does not need to be present at Compliance Reporter startup to work as intended.

<key>PlaintextLogCollectionPaths</key>
<array>
    <string>/var/log/jamf.log</string>
</array>

DisableFileMonitoringActivities

Disable file monitoring activities by Compliance Reporter. This setting is only recommended in environments that have more than one endpoint security solution or utility that performs a similar scan on Mac computers. This setting key is set to false by default.

<key>DisableFileMonitoringActivities</key>
<false/> 

Enabling Private Data in Log Collection

To display private data, such as usernames and IP addresses, in logs, you must first sign and deploy a configuration profile using Jamf Pro. Jamf Pro is an enterprise mobility management software that administrators use to configure Compliance Reporter settings and deploy Compliance Reporter to target computers.

Download the private data enablement configuration profile and execute the following command in Terminal:
/usr/bin/security cms -S -Z "$SIGNING_CERTIFICATE" -i "$UNSIGNED_PROFILE_PATH" -o "$SIGNED_PROFILE_PATH"

The following is an example of a configuration profile configured to display private data:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadDisplayName</key>
                <string>ManagedClient logging</string>
                <key>PayloadEnabled</key>
                <true />
                <key>PayloadIdentifier</key>
                <string>com.apple.logging.ManagedClient.1</string>
                <key>PayloadType</key>
                <string>com.apple.system.logging</string>
                <key>PayloadUUID</key>
                <string>ED5DE307-A5FC-434F-AD88-187677F02222</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>System</key>
                <dict>
                    <key>Enable-Private-Data</key>
                    <true />
                </dict>
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>Enable Unified Log Private Data logging</string>
        <key>PayloadDisplayName</key>
        <string>Enable Unified Log Private Data</string>
        <key>PayloadIdentifier</key>
        <string>C510208B-AD6E-4121-A945-E397B61CACCF</string>
        <key>PayloadRemovalDisallowed</key>
        <false />
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>D30C25BD-E0C1-44C8-830A-964F27DAD4BA</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
</plist>
Compliance Reporter will now log private data. If you execute the following command in Terminal, no <private> entries should display:
log stream --predicate '(subsystem == "com.apple.AccountPolicy")'