Logging in and out in Sierra’s log

There are only two ways to browse Sierra’s unified log during logging in and logging out: you can capture a logarchive using the command log in Terminal, or using Consolation (free from Downloads above). Apple’s Console utility is only useful if you have already captured a logarchive from the command line. In my case, I saved a logarchive using Consolation, and browsed that archive in the same app.

All log entries are for Sierra 10.12.6 running on an iMac17,1. Earlier versions of Sierra may well differ in log entries.

Predicates and filters

Two useful predicates to have ready when looking at these activities are:
processImagePath CONTAINS[c] "com.apple.AccountPolicyHelper"
which picks up messages from AccountPolicyHelper, which handles parts of authentication but surprisingly doesn’t yet have its own subsystem, and
subsystem == "com.apple.securityd"
which looks at a large chunk of security-related entries, and will almost invariably need refining with a filter.

Although you may want to develop your own more refined filter terms, the following are a good start:
authentication authenticationallowed verify password login.keychain-db:
and the short usernames for that Mac. login.keychain-db: (including the end colon) is useful because it picks up attempts to open the login keychain for any user.

Logging out

There aren’t many clear signposts to the processes involved in logging out, other than a long succession of systems being exited and connections being severed. If you have Objective-See’s What’s Your Sign, it makes a distinctive entry, following which there are other signs of this phase completing:
WhatsYourSign Foundation tearing down extension context opendirectoryd opendirectoryd Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0 com.apple.useractivity main useractivityd useractivityd Removing client <private>, application [pid=396/397 uid=501/501 gid=20/20 asid=100008 sb=YES], from known userActivityClients. opendirectoryd opendirectoryd ODNodeRelease completed opendirectoryd opendirectoryd disconnect module connection opendirectoryd opendirectoryd ODNodeRelease completed opendirectoryd opendirectoryd Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0 loginwindow loginwindow Login Window point of no return com.apple.sharing AutoUnlock loginwindow Sharing Dynamic store enabled state { 501 = 0; }

In among the messages you may find
loginwindow loginwindow -[LogoutUtilities terminateApp:] | ERROR | Application terminate returned 1

And later, the more puzzling logout entries
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.43.2) AuthenticationAllowed completed: record "hoakley", result: Success (0). opendirectoryd opendirectoryd Verify password result: 5000 opendirectoryd opendirectoryd ODRecordVerifyPassword failed with error 'Invalid credentials' (5000) sessionlogoutd loginsupport sessionlogoutd Launched
which record the logout with an error 5000, which means the Open Directory credentials were invalid!

As everything else is packing up and going home, the new login window is started up:
loginwindow loginwindow Login Window Application Started

Logging in

Even when the login window is displayed, waiting for you to enter your password, the log is not quiet. Eventually you’ll come across a pair of entries like
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.60.2) AuthenticationAllowed completed: record "hoakley", result: Success (0). opendirectoryd opendirectoryd ODRecordAuthenticationAllowed completed
which mark the login point.

But they are not done yet: this is repeated several times a little later:
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.63.2) AuthenticationAllowed completed: record "hoakley", result: Success (0). opendirectoryd opendirectoryd Verify password result: 0

You may also see failures, such as
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.66.2) AuthenticationAllowed completed: record "hoakley", result: Success (0). opendirectoryd opendirectoryd Verify password result: 5000 opendirectoryd opendirectoryd ODRecordVerifyPassword failed with error 'Invalid credentials' (5000)

loginlog2

Eventually, the login window reports:
SecurityAgent loginsupport Login Window login proceeding

Later,
loginwindow loginwindow Login Window - Returned from Security Agent

A clear sign is changing status for user ID 501, as in
apsd CoreDaemon <APSSystemUser: 0x7f81cfe52340>: Changing status for uid 501 from logged out to logged in

Finally, the login keychain is opened (again, multiple times):
com.apple.securityd atomicfile loginwindow Security 0x61000007bd40 opened /Users/hoakley/Library/Keychains/login.keychain-db: 1572200 bytes com.apple.securityd KCLogin loginwindow Security SecKeychainLogin result: 0, password was supplied

From then on, you can watch macOS starting up the very many user activities.

Fast user switching

Landmark log entries when you change user by means of fast switching, rather than logging out and in again, are broadly similar. A good overview is obtained from using the predicate
processImagePath CONTAINS[c] "com.apple.AccountPolicyHelper"
although because this switches between users, you will then see entries referring to both the previous and the next users, such as:
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.72.2) AuthenticationAllowed completed: record "tester", result: Success (0). com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.73.2) PasswordChangeAllowed completed: record "tester", result: Success (0). com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.74.2) PasswordChangeAllowed completed: record "hoakley", result: Success (0). com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.75.2) AuthenticationAllowed completed: record "hoakley", result: Success (0).

You will then find it helpful to apply filters based on the user names.

As with logout and login, simply applying the predicate
subsystem == "com.apple.securityd"
will return a large number of entries, but filtering them with login.keychain-db: quickly shows login keychain activity.

AccountPolicyHelper serials

Apply the predicate
processImagePath CONTAINS[c] "com.apple.AccountPolicyHelper"
and you should notice a striking and potentially very useful feature: messages from AccountPolicyHelper start with a serial number, of the form
(115.123.2)
where the middle number, here 123, increments with each new message from AccountPolicyHelper. I do not know whether the first and third numbers change, or why they might change, but this serial number appears a good way of establishing that the log has not been tampered with, and the sequence of those entries irrespective of their timestamps.

loginlog1

If you have discovered anything further which is of use from these processes, please let us know in a comment below.

6Comments

Add yours

1

Kevin T on May 3, 2018 at 5:56 pm

Question for you on all of this. This looks fantastic as I’m trying to figure out a way to use a script to capture when a user fails to authenticate 5 times in a row indicating an account lockout. I don’t seem to have any of the events that you have listed here. Do you know if this guide is still applicable to Mac OS High Sierra 10.13.3 or 10.13.4? The only authentication events that I can find that seem to be related say “0DErrorCredentialsInvalid”. I can’t find any with errors (5000). The frustrating thing is the seemingly random number of events generated here. I mistyped my password (as a test) 4 times and I get 7 messages that I indicated above. Any ideas? Thanks so much!

LikeLiked by 1 person
- 2
  
  hoakley on May 3, 2018 at 6:04 pm
  
  I haven’t yet looked at recent versions of High Sierra in this respect.
  Unfortunately, Apple doesn’t see the unified log as a tool for any security tools, such as yours. This makes it very hard to write them, and when you do, you’ll find that the next update changes all the messages which your tool has relied on.
  The strategy that I use for looking at events like this is to time them carefully, then using Consolation 3 capture all log entries for around 5 seconds before and 25 seconds after the event time. You can then use the app’s own filtering to look for specific message content, if there are a lot of log entries to view. That saves having to keep re-running the log show command within it, and is much quicker.
  I wish you success,
  Howard.
  
  LikeLike
  - 3
    
    ktwingstrom on May 3, 2018 at 7:17 pm
    
    So this is to say that these types of events that you found above are only logged if you use Consolation to specifically capture them? I had thought that I can use the log show command to show default logs already collected by the OS. Is it neccesary to use Consolation? I haven’t look at it before. I’m basically just setting a –start and –end flag to limit my log show command to about 60 seconds at a time and to ensure I search across all logs I don’t use any other switches I’m just passing it to | grep. So one search I’ve been trying is:
    
    log show –last 60s –style syslog | grep -i ‘opendiretoryd.*(PlistFile)’
    
    LikeLike
  - 4
    
    hoakley on May 3, 2018 at 7:38 pm
    
    No: Consolation calls the log show command to get its log extracts (there is no alternative). However, log show is often slow to return results. Consolation 3 has a feature which filters the log entries it has already obtained using log show. You can even use regex filters for them if you want. The results are almost instantaneous, so much quicker than each time working out a new log show command with its predicate and then waiting for it to return its results.
    Not only that, but log show has limited output formats – syslog and and its new default are the only human-readable options. Consolation can work directly on JSON output, which gives you much greater flexibility in formatting the display, etc.
    I have a lot of articles here about getting the best out of the unified log, including using Consolation and Woodpile. Even when you’re skilled at building predicates, log show is a very crude and slow way to explore the unified log.
    Howard.
    
    LikeLike
  - 5
    
    ktwingstrom on May 3, 2018 at 8:09 pm
    
    Yes I have read most of the articles you have about logging, very helpful! FWIW I have been able to use what you wrote before to find what I thought was a reliable way to detect a violation of the max auth attempts policy we employ where I work, but once we rolled it out to our fleet of Macs we started getting some false positives so I’m looking for a new way. Thanks for your help with all of this, I believe the reason for the change is we’ve gone from Sierra to High Sierra. Seems using the unified log is not a super reliable method for this, I’m looking at other options.
    
    LikeLiked by 1 person
  - 6
    
    hoakley on May 3, 2018 at 8:12 pm
    
    Have you looked at OpenBSM? It’s not perfect by any means, but what a lot of corporate users rely on, I gather.
    Howard.
    
    LikeLike

Share this:

Like this:

Related