10ccee9e4c
* Add more Conf references, EnableSysxCache key, etc * Updated link (even though previous config profile explainer link redirects accordingly) to profile spec. * Added brief explanation of TCC/PPPC and made reference to the non-setting example MDM mobileconfig files in the repo * Add sysext log stream example, update wording * Pointed at events and configuration pages for details about logging * New troubleshooting section * Standardized on asterisks for page link markup in the TOC index page
1.3 KiB
parent
| parent |
|---|
| Details |
Logs
Separately from the events a sync server may receive in (close to)
real-time, with metadata that is helpful for maintaining rules, Santa logs to
/var/db/santa/santa.log by default (configurable with the EventLogPath
key). All detected executions and disk mount operations are logged there.
File operations (when needed for functionality otherwise referred to as "file
integrity monitoring") can also be configured to be logged. See the
FileChangesRegex key in the configuration.md document.
To view the logs:
tail -F /var/db/santa/santa.log
The -F will continue watching the path even when the current file fills up and
rolls over.
macOS Unified Logging System (ULS)
For information more specific to Santa's health and operation, logs are also
present in ULS. Using the show command you can view Santa-specific logs in
flight, including messages related to the system extension:
/usr/bin/log show --info --debug --predicate 'senderImagePath CONTAINS[c] "santa"'
For those still using the kernel extension, you could use a more specific command:
/usr/bin/log show --info --debug --predicate 'senderImagePath == "/Library/Extensions/santa-driver.kext/Contents/MacOS/santa-driver"'