Apple Audit Logs
Overview
Evidence: Apple Audit Logs Description: Collect Apple Audit Logs Category: System Platform: macOS Short Name: audl Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
This collector gathers apple audit logs information from the macOS system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.## Data Collected
This collector gathers structured data about apple audit logs.
Audit Log Data
ID
Primary key (auto-increment)
1
AuditLogFile
Audit log file path
/private/var/audit/audit.log
Version
Audit version
2
Event
Audit event
execve
Modifier
Event modifier
0
Time
Event timestamp
2023-10-15 14:30:25
Msec
Milliseconds
123
AuditUID
Audit UID
501
UID
User ID
501
GID
Group ID
20
RUID
Real UID
501
RGID
Real GID
20
PID
Process ID
1234
SID
Session ID
1234
TID
Thread ID
1234
Errval
Error value
0
Retval
Return value
0
SignerType
Signer type
1
SigningID
Signing ID
com.apple.Safari
TeamID
Team ID
ABCD123456
CDHash
Code directory hash
a1b2c3d4e5f6...
ExecArgs
Execution arguments
Safari --args
FullPath
Full path
/Applications/Safari.app/Contents/MacOS/Safari
Path
Path
/Applications/Safari.app/Contents/MacOS/Safari
Collection Method
This collector parses the necessary data from the apple_audit_logs
table.
Usage
This evidence is crucial for forensic investigations as it provides apple audit logs information. It helps investigators understand system activity, detect security incidents, and investigate system-related events. The data can reveal system changes, unauthorized activities, and potential security vulnerabilities. Analysts can use this information to identify system compromises, trace malicious activities, and assess system security posture.
Notes
This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.
Last updated
Was this helpful?