DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Privilege Management Capture Config for macOS

Suggest Edits

Set up audit logs

Starting in version 23.1, audit log rotation is introduced to avoid large audit log files.

When the defendpointd process starts, a new log configuration file is created with the settings /var/log/defendpoint/audit.log 644 5 10000 * JN only when there is no configuration set up in the /etc/newsyslog.conf for the audit.log file or when the com.beyondtrust.audit.conf file doesn't already exist.

If the file com.beyondtrust.audit.conf has the settings mentioned above, the audit log rotates up to 6 archived files every 30 minutes if the audit.log file is larger than 10000 kilobytes — roughly 10 megabytes.

The archive uses the naming convention as follows:

The archive starts with the audit.log file name. Files following include an index number (0 being the newest and 5 the oldest created). Each log file name ends with the extension .bz2, which is a bZip2 compression type:

  • audit.log.0.bz2
  • audit.log.1.bz2
  • audit.log.2.bz2
  • audit.log.3.bz2
  • audit.log.4.bz2
  • audit.log.5.bz2

If you are using the CaptureConfig utility, only the first two files are retrieved (audit.log and audit.log.0.bz2).

To set up audit logging:

  1. When Endpoint Privilege Management for Mac is installed, it checks to see if the following path and file is present. If it's not, it creates it: /var/log/defendpoint/audit.log

  2. This file cannot be edited during output. If this file is deleted, Endpoint Privilege Management for Mac recreates it dynamically. If the folder structure is deleted, Endpoint Privilege Management for Mac recreates it when the endpoint is restarted.

  3. To view the log file, run the following command in Terminal. By default, Standard users are not permitted to run this sudo command. You must configure a policy to allow this.

    Optionally, you can use the CaptureConfig utility. Please contact BeyondTrust Technical Support to get a copy.

    sudo cat /var/log/defendpoint/audit.log

  4. The log file is maintained by the core macOS service newsyslog. The newsyslog.conf file contains various log files and associated settings and is maintained by the core macOS. The newsyslog.conf file is located at /etc/newsyslog.conf.

ℹ️

Note

This part of the set up must be done by a user who can write to this location or by using a mobile device management (MDM) solution.

  1. In the newsyslog.conf file, the settings are outlined and have column headers:

    • logfilename
    • mode
    • count
    • size
    • when
    • flags

  2. For the purposes of the maintenance of the audit.log file, you must populate the logfilename, mode, count, size and/or when, and flags attributes in the newsyslog.conf file.

    • logfilename: Path and filename
    • mode: File mode. For example, settings for read/write for each user type (POSIX file permissions)
    • count: Count for amount of archived files (count starts from 0)
    • size: Threshold for log size in KB
    • when: Threshold for log size in terms of time. For example, new log everyday at X, or every month
    • flag: Instruction for processing the archived/turn-over file. This is most likely to be JN or ZN

    An example of a line in the newsyslog.conf for Endpoint Privilege Management for Mac:

    /var/log/defendpoint/audit.log 644 5 1000 * JN

    This indicates that:

    • The filename is audit.log
    • It can be viewed by all user types but can only be edited by the root user
    • It has an archive count of 5 (6 archived files, not including the current log)
    • It has a threshold of 1MB for turn-over/archiving
    • It doesn't have a date turn over
    • For archiving, files are to be compressed into a bzip file

    ℹ️

    Note

    The threshold relies on the newsyslog service. This service is "low" priority in macOS and only reads the .conf file approximately every 30mins. Using the example line above, the log can become greater than 1MB prior to the service reading the newsyslog.conf file due to it being a ‘threshold’ value, rather than each log file being of equal size.

  3. After you apply the newsyslog.conf by adding the audit.log line to it, you can run sudo newsyslog -nv in the Terminal to see the state of the logging, when the next roll over is, and whether there are any syntax issues.

View unified logging

Unified logging stores log messages in memory or in a data store. Unified logging is available in macOS 10.12 and later and supersedes Apple System Logger (ASL).

Prior to macOS 10.12, log messages were written to specific disk locations.

View logs in the Console application or the log command line tool.

To view the debug logs of a process on the endpoint:

  1. Open the Console app. By default, debug and info messages are not displayed. You can select an event in the main window to view the logs for it.
  2. Click Now in the top left of the tool bar to see new messages in real time.
  3. Select Actions > Include Info Messages and Actions > Include Debug Messages to add these to the log.
  4. Using the search bar on the top-right, you can enter the name of a process that you want to filter on. For example, defendpointd for Endpoint Privilege Management for Mac or PMCAdapter for EPM Adapter log messages.
  5. You can further manipulate the filter from the search bar or by right-clicking on the process and selecting an additional filter option.

ℹ️

Note

For more information about unified logging, see Logging.

Obtain debug logs from the endpoint

Unified logging does not store info or debug strings on the hard disk. They are only displayed while the Console application is open.

You must use the log config command to create plist files for each Endpoint Privilege Management for Mac daemon and change the logging file. These plists are created in the /Library/Preferences/Logging directory.

ℹ️

Note

You can also get debug logs from the endpoint using the CaptureConfig utility. Please contact BeyondTrust Technical Support to obtain it.

  1. To create plists and change the logging level for the Endpoint Privilege Management for Mac daemons, run the following commands in the terminal: 
    sudo log config --subsystem com.avecto.defendpointd --mode persist:debug
sudo log config --subsystem com.avecto.custodian --mode persist:debug
sudo log config --subsystem com.avecto.dppolicyserverd --mode persist:debug
sudo log config --subsystem com.avecto.Defendpoint --mode persist:debug
  2. Once these commands have been run, you have two options:
    • Obtain a centralized log you can send to BeyondTrust Technical Support. This is the recommended approach.

⚠️

Important

You would ideally collect the logs into a central log file using the following command, however this logs every process on the endpoint, not just the Endpoint Privilege Management for Mac processes.

sudo log collect —-last <num><m/h/d>

You must replace <num> with an integer and then append m for months, h for hours, or m for minutes depending on how long it took to replicate the issue. This produces a .logarchive file in the current user's directory.

  • Alternatively, you can create a log for each Endpoint Privilege Management for Mac daemon by using the following commands. This process outputs .log files in the user's home directory that can be edited or moved as required. As this information is split across multiple log files, it is not the recommended approach, however it can be used when the first approach is not viable.
log show --predicate 'subsystem == "com.avecto.custodian"' --style json --debug --last 1h > ~/Documents/Custodian.logarchive
log show --predicate 'subsystem == "com.avecto.defendpointd"' --style json --debug --last 1h > ~/Documents/defendpointd.logarchive
log show --predicate 'subsystem == "com.avecto.dppolicyserverd"' --style json --debug --last 1h > ~/Documents/dppolicyserverd.logarchive
log show --predicate 'subsystem == "com.avecto.Defendpoint"' --style json --debug --last 1h > ~/Documents/Defendpoint.logarchive

Apply anonymous logging to events

By default, Endpoint Privilege Management for Mac will include user and computer specific information in all audit events. You can set your Application Rules to not log this information for events associated with your rules by setting the Raise an Event option to On (Anonymous) on each rule.

You can also set whether user or computer information is kept anonymous for audit events that are not associated with a rule, such as events raised for having an invalid license.

To enable anonymous auditing for events not associated with a rule, edit the following section in the defendpoint.plist configuration file:

<key>AnonymousLogging</key>
<string>true</string>

To disable anonymous auditing for events not associated with a rule, edit the following section in the defendpoint.plist configuration file:

<key>AnonymousLogging</key>
<string>false</string>

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.