Sudo Logs

macOS sudo are the log files associated with sudo execution. Sudo ("super user do" or "substitute user") is used to run programs with elevated privileges.

macOS sudo logs are stored in the Unified Log files. The log entries show evidence of commands executed with elevated privileges

Other Parsers:

None

References:

TOML Collection

[output]
name = "sudologs_collection"
directory = "./tmp"
format = "json"
compress = false
endpoint_id = "abdc"
collection_id = 1
output = "local"
timeline = false

[[artifacts]]
artifact_name = "sudologs-macos"
[artifacts.sudologs_macos]
# Optional
# logarchive_path = ""

Collection Options

logarchive_path Path to a logarchive formatted directory. This configuration is optional

Output Structure

An array of UnifiedLog entries associated with sudo activity

TOML Collection​

Collection Options​

Output Structure​

TOML Collection

Collection Options

Output Structure