eslogger's --oslog option issue

Question

Created Jan ’24

Replies 2

Boosts 0

Participants 2

I'm trying to log Endpoint Security events to os_log. I'd be grateful if someone could confirm that using the --oslog option with eslogger actually writes event data to the system log.

If I monitor with sudo eslogger exec fork exit I see events at the command line, yet if I add the --oslog option, I don't see those events when monitoring the log with sudo log stream --predicate 'subsystem == "com.apple.eslogger"'. Nor do I see them if I filter in the Console app on just the subsystem "com.apple.eslogger".

Have I missed out something with my work? Any help appreciated. Thanks.

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’24

This is working for me. Here’s what I did:

On macOS 14.1.2, I enabled Full Disk Access for Terminal.
I ran eslogger as you described.
In another Terminal window, I started vim and then quit it. That generates event output in the eslogger window.
I stopped eslogger.
I ran Console.
I pasted subsystem:com.apple.eslogger into the search field.
I clicked “Start streaming”.
Back in Terminal, I ran eslogger, this time adding --oslog.
I repeated step 3.

I see the log events in Console. For example:

type: default
time: 11:25:57.185273+0000
process: eslogger
subsystem: com.apple.eslogger
category: events
message: {…"fork"…}

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

rayascott OP

Jan ’24

Hi Quinn

Thanks for the reply. I've gone through your steps twice and on both occasions as soon as I add the --oslog switch I get no ES output in the Console app.

I'm running macOS 14.2.1 (23C71)

I also ran the Console filtering for errors and faults while repeating your steps and nothing related to this appeared.

It's not a massive issue for me, but it does seem very bizarre that this does not work as expected.

0