does osquery have a table for Mac OS `os_log()` lo...
# generall
Lawrence D'Anna
04/29/2020, 9:43 PMdoes osquery have a table for Mac OS
os_log()m
Mike Myers
05/04/2020, 9:15 PMI think that goes to the Unified Log System, so, no. Because reading from that would require an API (Apple provides none) or forking execution to call the Apple CLI utility (osquery design philosophy is to not fork or spawn other processes)
Mike Myers
05/04/2020, 9:16 PMMike Myers
05/04/2020, 9:16 PMBut we did create an osquery extension to read it https://github.com/trailofbits/osquery-extensions/tree/master/darwin_unified_log
l
Lawrence D'Anna
05/04/2020, 9:18 PMthanks 🙂
Lawrence D'Anna
05/04/2020, 9:22 PMOSLog.framework doesn’t have whats needed?
https://developer.apple.com/documentation/oslog
👌 1
m
Mike Myers
05/04/2020, 9:44 PMoh what's this, is this new? I see
macOS 10.15+l
Lawrence D'Anna
05/04/2020, 9:45 PMyea, first appeared in 10.15 i think
m
Mike Myers
05/04/2020, 9:48 PMI see the earliest examples I can find from around November 2019, that's cool, I will go update our issue on this. An osquery table is now possible in core. Although it looks like there might be an entitlement required, which means code-signing etc
5 Views