Troubleshooting Unusually High Log Volume

High log volume may be caused by some applications checking the status of connections, configurations, or files by calling a single command multiple times per second. Typically, this is caused by security applications or applications that do not use the correct macOS APIs to retrieve information.

  1. Execute the following command to count and sort subject.process_name fields on the computer with the high log volume:
    tail -1000 /var/log/JamfComplianceReporter.log | egrep -o -e '"process_name":"([^"]+)'| cut -d'"' -f4 | sort | uniq -c | sort -h
  2. Execute the following command to count and sort subject.responsible_process_name fields on the computer with the high log volume:
    tail -1000 /var/log/JamfComplianceReporter.log | egrep -o -e '"responsible_process_name":"([^"]+)'| cut -d'"' -f4 | sort | uniq -c | sort -h
    The output displays a list of applications that are causing the high log volume. To reduce the log volume, you can add applications you want to remove from logs to the AuditEventExcludedProcess preference key and reload.