how can i find jamf logs in osquery. So we have a certain service which runs from a self help app and i want to monitor when it is started by a person. I see jamf logs it when it starts but i cant find the exact log for it in osquery. I see log in console.

There is the last_opened_time column in the apps table.

how would that give me jamf logs

I guess maybe I'm not understanding what are looking to do. Fleet isn't for reading logs

but osquery is right. I am trying to query from fleet to my osquery agent on mac to fetch jamf logs

There is a file read extension as part of the macadmins extension bundled with orbit. You might be able to use that

I've tried to hunt down an osquery extension that would give you access to those logs, but I'm coming up empty so far.

file_lines or unified_log might work

Are there other things that happen when that service runs? Does it have its own log file that it updates? Does it install a package? Is there something that might show up in

process_events

? A dedicated user account?

@Kathy Satterlee logs are seen in jamf.log file it runs a process called make me admin it does say installing but not sure if behind its just updating privs

Is this the utility?: https://github.com/jamf/MakeMeAnAdmin/blob/master/MakeMeAnAdmin.sh

Carving does give me file name but i guess i need to configure it to send it to s3 coz i dont see any option to read it direct in fleet.

Can you show me what that query looks like?

hey Kathy Many thanks i got the files. i was using different parameter but on debugging found this query works SELECT path FROM file WHERE path LIKE ‘%%/var/userToRemove/%%’;

Nice!!