Hi, is it somehow possible to query the /var/log/s...
# macosl
Leon Schulze
09/16/2021, 1:44 PMHi, is it somehow possible to query the /var/log/system.log and search for a specific term in it? I cannot find a corresponding table to do so :(
a
allister
09/16/2021, 1:47 PMthis is from quite a while ago but is what you're kindof asking about? https://medium.com/airbnb-engineering/introducing-syslog-to-aws-kinesis-via-osquery-da4fc19de5ce
✅ 1
allister
09/16/2021, 1:51 PMyou may not actually get any interesting results since Apple moved away from asl in general
Copy code
osquery> select time, level, facility, message from asl limit 10;
+------------+-------+--------------------------+-----------------------------+
| time | level | facility | message |
+------------+-------+--------------------------+-----------------------------+
| 1626854240 | 5 | com.apple.system.utmpx | BOOT_TIME 1626854240 341979 |
| 1626854506 | 5 | com.apple.system.lastlog | USER_PROCESS: 588 console |
| 1626856884 | 5 | com.apple.system.lastlog | USER_PROCESS: 4401 ttys000 |
| 1627188165 | 5 | com.apple.system.utmpx | DEAD_PROCESS: 588 console |
| 1627188166 | 5 | com.apple.system.utmpx | DEAD_PROCESS: 4401 ttys000 |
| 1627188175 | 5 | com.apple.system.utmpx | DEAD_PROCESS: 59449 console |
| 1627188196 | 5 | com.apple.system.lastlog | USER_PROCESS: 59521 console |
| 1627188200 | 5 | com.apple.system.lastlog | USER_PROCESS: 59680 ttys000 |
| 1627188574 | 5 | com.apple.system.utmpx | DEAD_PROCESS: 59680 ttys000 |
| 1627188576 | 5 | com.apple.system.utmpx | DEAD_PROCESS: 59521 console |
+------------+-------+--------------------------+-----------------------------+l
Leon Schulze
09/16/2021, 1:54 PMI’ll give it a try! thank you so much!
👍 1
Leon Schulze
09/16/2021, 2:29 PMcan confirm, that it’s still working for the use-case I needed log insights to. I owe you @allister 🙏🏼
a
allister
09/16/2021, 2:30 PMno one's more surprised than me when I'm helpful, that's great news, thanks!
5 Views