03/02/2022, 8:35 PM
Tagging back on to @allister’s reply above to see if anyone else has any suggestions on getting opendirectoryd logs into ASL. New to Apple sys admin and Google not terribly helpful. I see opendirectoryd logs in Console under Devices, but I cannot find a specific log file that the daemon is generating to even add to the asl.conf. Looking to capture a log line such as this to then retrieve with osquery via the asl table.
Authentication failed for <private> with ODErrorCredentialsInvalid


03/03/2022, 12:51 AM
yeah continuing to leverage ASL for that seems like one of those things that COULD be 'deprecated forever but still working' but doable? I'd recommend looking at https://github.com/macadmins/osquery-extension/tree/main/tables/unifiedlog while https://github.com/osquery/osquery/pull/7259 is in flight