logind

Overview

Evidence: Logind Description: Filter user login events Category: System Platform: macos Short Name: lgnd Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The logind process on macOS manages user login sessions and authentication events. It handles local and remote login attempts, session creation, and user credential validation. These events are critical for tracking user access to the system.

Data Collected

This collector gathers structured data about logind.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract logind process events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Logind'.

Forensic Value

Logind events are essential for investigating unauthorized access attempts, credential abuse, session hijacking, and establishing user activity timelines. They reveal login times, authentication methods, failed attempts, and session details crucial for incident response and user access auditing.