Logging of access to admin user rights on macOS

by Heiso   Last Updated October 17, 2018 10:12 AM

my question is an extension to the old question within this link. Could someone tell me how I can protocol messages like this in syslogd or something similiar into a file on macOS 10.12, 10.13 and 10.14

Thats the command for failed authentication I´m using: log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d

Thats result for the command:

2018-10-17 10:33:23.188301+0200  localhost opendirectoryd[78]: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> with ODErrorCredentialsInvalid

Thats the command for successful authentication I´m using: log show --predicate '(eventMessage CONTAINS "AuthenticationAllowed")' --style syslog --last 1d

Thats result for the command:

2018-10-17 10:56:11.977875+0200  localhost opendirectoryd[78]:(AccountPolicy) [com.apple.AccountPolicy:Framework]AuthenticationAllowed: Evaluation result for record "<private>",record type "<private>": Success

Also I don´t was able to find out how I can make the non private logging for the command persistent, here is the command: sudo log config --mode "private_data:on"

I have edited syslogd with this code, but it´s not including the messages I told you before in my message.

auth.*                          /var/log/test/authlog

Here some background why I want to do this, because we need to protocol the succeeded and failed login attempts also for administration changes to a file on our MacBooks.

Thanks for your help!

Heiko



Related Questions


Disable new macos logging system

Updated July 07, 2018 22:12 PM

macOS Mojave failed update wiped data

Updated September 27, 2018 09:12 AM

macOS Mojave Installation Error

Updated September 27, 2018 09:12 AM