User profile for user: kadare
kadare Author
User level: Level 1
12 points

Apple unified Logs

Has any one worked with AUL

(Apple Unified Logs)

iPhone 14, iOS 17

Posted on Feb 10, 2024 1:57 PM

Reply
Question marked as Top-ranking reply
User profile for user: Tesserax
Tesserax
User level: Level 10
159,936 points

Posted on Feb 10, 2024 9:12 PM

If you do an Internet search on Apple Unified Logging, you will find dozens of articles both about what this is, and a number of techniques on how to parse them for the data you are looking for. The learning curve is a bit steep, but it is manageable. It depends on how much effort you want to spend.


If you are looking for a "quick" answer, that may be somewhat difficult as it will require that you perform a number of steps that you may not be familiar with, including entering commands in the Terminal app.


For example, if you enter the following command: 

log show --predicate 'eventMessage contains "SessionAgentNotificationCenter"'


You will get a listing of the following types of events:

  • Screen Lock/Unlock Status
  • User Logons
  • User Logoff
  • Restarts (w/UID)
  • Shutdown (w/UID)
  • Fast User Switching
  • Canceled Restart/Shutdown/Logoff


If you want to know how they logged in. That is via the password window, Touch ID, or by using an Apple Watch, then you would want to use this command:


log show --predicate 'eventMessage contains "LWScreenLockAuthentication" and (eventMessage contains "| Verifying" or eventMessage contains "| Using")'


What you would look for are the following events messages:


Regular Password: 

  • “Verifying using PAM configuration screensaver”


TouchID:

  • “Using localAuthentication hints”
  • “Using hint-provided username oompa”
  • “Verifying using PAM configuration screensaver_la”


Auto Unlock with Apple Watch:

  • “Using continuity hints”
  • “Using hint-provided username oompa”
  • “Verifying using PAM configuration screensaver_aks”


Ref: https://www.mac4n6.com/blog/2020/4/26/analysis-of-apple-unified-logs-quarantine-edition-entry-4-its-login-week

View in context

Similar questions

3 replies
Question marked as Top-ranking reply
User profile for user: Tesserax
Tesserax
User level: Level 10
159,936 points

Feb 10, 2024 9:12 PM in response to kadare

If you do an Internet search on Apple Unified Logging, you will find dozens of articles both about what this is, and a number of techniques on how to parse them for the data you are looking for. The learning curve is a bit steep, but it is manageable. It depends on how much effort you want to spend.


If you are looking for a "quick" answer, that may be somewhat difficult as it will require that you perform a number of steps that you may not be familiar with, including entering commands in the Terminal app.


For example, if you enter the following command: 

log show --predicate 'eventMessage contains "SessionAgentNotificationCenter"'


You will get a listing of the following types of events:

  • Screen Lock/Unlock Status
  • User Logons
  • User Logoff
  • Restarts (w/UID)
  • Shutdown (w/UID)
  • Fast User Switching
  • Canceled Restart/Shutdown/Logoff


If you want to know how they logged in. That is via the password window, Touch ID, or by using an Apple Watch, then you would want to use this command:


log show --predicate 'eventMessage contains "LWScreenLockAuthentication" and (eventMessage contains "| Verifying" or eventMessage contains "| Using")'


What you would look for are the following events messages:


Regular Password: 

  • “Verifying using PAM configuration screensaver”


TouchID:

  • “Using localAuthentication hints”
  • “Using hint-provided username oompa”
  • “Verifying using PAM configuration screensaver_la”


Auto Unlock with Apple Watch:

  • “Using continuity hints”
  • “Using hint-provided username oompa”
  • “Verifying using PAM configuration screensaver_aks”


Ref: https://www.mac4n6.com/blog/2020/4/26/analysis-of-apple-unified-logs-quarantine-edition-entry-4-its-login-week

Reply
User profile for user: Tesserax
Tesserax
User level: Level 10
159,936 points

Feb 10, 2024 2:11 PM in response to kadare

Sorry, but that is just not enough information in order for us to be able to assist you with a potential solution.



The only reasonable answer that can be provided, at this point, is "maybe." That is, what exactly are you needing to know , or need assistance with, the Apple Unified Logs?

Reply
User profile for user: kadare
kadare Author
User level: Level 1
12 points

Feb 10, 2024 3:18 PM in response to Tesserax

Tks for taking the time to respond.


i live in a tough neighborhood with a lot of crime. My Mac Air is always on when I lift the clamshell lid even though I know I logged off the night before, and hit the shutoff button, so that the machine was off for the night.


when I lift the clamshell lid on the Mac the next morning, I should see the Apple logo and the trademark white line moving across the screen, but no. What I see is my screensaver already up and running.


AUL can tell me, if I knew how to use them, the exact time of the most recent log on, and what tasks were performed by an intruder.


Tks for listening.


Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Apple unified Logs

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up