Logging of access to admin user rights on macOS

by Heiso   Last Updated October 17, 2018 10:12 AM

my question is an extension to the old question within this link. Could someone tell me how I can protocol messages like this in syslogd or something similiar into a file on macOS 10.12, 10.13 and 10.14

Thats the command for failed authentication I´m using: log show --predicate '(eventMessage CONTAINS "Authentication failed")' --style syslog --last 1d

Thats result for the command:

2018-10-17 10:33:23.188301+0200  localhost opendirectoryd[78]: (PlistFile) [com.apple.opendirectoryd:auth] Authentication failed for <private> with ODErrorCredentialsInvalid

Thats the command for successful authentication I´m using: log show --predicate '(eventMessage CONTAINS "AuthenticationAllowed")' --style syslog --last 1d

Thats result for the command:

2018-10-17 10:56:11.977875+0200  localhost opendirectoryd[78]:(AccountPolicy) [com.apple.AccountPolicy:Framework]AuthenticationAllowed: Evaluation result for record "<private>",record type "<private>": Success

Also I don´t was able to find out how I can make the non private logging for the command persistent, here is the command: sudo log config --mode "private_data:on"

I have edited syslogd with this code, but it´s not including the messages I told you before in my message.

auth.*                          /var/log/test/authlog

Here some background why I want to do this, because we need to protocol the succeeded and failed login attempts also for administration changes to a file on our MacBooks.

Thanks for your help!


Related Questions

Disable new macos logging system

Updated July 07, 2018 22:12 PM

Unified Logs | macOS High Sierra

Updated April 19, 2019 14:12 PM

How to view all login history in MacOS High Sierra

Updated December 10, 2017 01:12 AM

How to troubleshoot spurious restart?

Updated September 28, 2018 23:12 PM