Skip to content

The Eclectic Light Company

Macs, painting, and more
Main navigation
  • Downloads
  • Mac problems
  • Art
  • Macs
  • Painting
  • General
  • Life
hoakley August 12, 2017 Macs, Technology

Logging in and out in Sierra’s log

There are only two ways to browse Sierra’s unified log during logging in and logging out: you can capture a logarchive using the command log in Terminal, or using Consolation (free from Downloads above). Apple’s Console utility is only useful if you have already captured a logarchive from the command line. In my case, I saved a logarchive using Consolation, and browsed that archive in the same app.

All log entries are for Sierra 10.12.6 running on an iMac17,1. Earlier versions of Sierra may well differ in log entries.

Predicates and filters

Two useful predicates to have ready when looking at these activities are:
processImagePath CONTAINS[c] "com.apple.AccountPolicyHelper"
which picks up messages from AccountPolicyHelper, which handles parts of authentication but surprisingly doesn’t yet have its own subsystem, and
subsystem == "com.apple.securityd"
which looks at a large chunk of security-related entries, and will almost invariably need refining with a filter.

Although you may want to develop your own more refined filter terms, the following are a good start:
authentication
authenticationallowed
verify password
login.keychain-db:
and the short usernames for that Mac. login.keychain-db: (including the end colon) is useful because it picks up attempts to open the login keychain for any user.

Logging out

There aren’t many clear signposts to the processes involved in logging out, other than a long succession of systems being exited and connections being severed. If you have Objective-See’s What’s Your Sign, it makes a distinctive entry, following which there are other signs of this phase completing:
WhatsYourSign Foundation tearing down extension context
opendirectoryd opendirectoryd Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0
com.apple.useractivity main useractivityd useractivityd Removing client <private>, application [pid=396/397 uid=501/501 gid=20/20 asid=100008 sb=YES], from known userActivityClients.
opendirectoryd opendirectoryd ODNodeRelease completed
opendirectoryd opendirectoryd disconnect module connection
opendirectoryd opendirectoryd ODNodeRelease completed
opendirectoryd opendirectoryd Client: <private>, UID: 0, EUID: 0, GID: 0, EGID: 0
loginwindow loginwindow Login Window point of no return
com.apple.sharing AutoUnlock loginwindow Sharing Dynamic store enabled state {
501 = 0;
}

In among the messages you may find
loginwindow loginwindow -[LogoutUtilities terminateApp:] | ERROR | Application terminate returned 1

And later, the more puzzling logout entries
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.43.2) AuthenticationAllowed completed: record "hoakley", result: Success (0).
opendirectoryd opendirectoryd Verify password result: 5000
opendirectoryd opendirectoryd ODRecordVerifyPassword failed with error 'Invalid credentials' (5000)
sessionlogoutd loginsupport sessionlogoutd Launched
which record the logout with an error 5000, which means the Open Directory credentials were invalid!

As everything else is packing up and going home, the new login window is started up:
loginwindow loginwindow Login Window Application Started

Logging in

Even when the login window is displayed, waiting for you to enter your password, the log is not quiet. Eventually you’ll come across a pair of entries like
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.60.2) AuthenticationAllowed completed: record "hoakley", result: Success (0).
opendirectoryd opendirectoryd ODRecordAuthenticationAllowed completed
which mark the login point.

But they are not done yet: this is repeated several times a little later:
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.63.2) AuthenticationAllowed completed: record "hoakley", result: Success (0).
opendirectoryd opendirectoryd Verify password result: 0

You may also see failures, such as
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.66.2) AuthenticationAllowed completed: record "hoakley", result: Success (0).
opendirectoryd opendirectoryd Verify password result: 5000
opendirectoryd opendirectoryd ODRecordVerifyPassword failed with error 'Invalid credentials' (5000)

loginlog2

Eventually, the login window reports:
SecurityAgent loginsupport Login Window login proceeding

Later,
loginwindow loginwindow Login Window - Returned from Security Agent

A clear sign is changing status for user ID 501, as in
apsd CoreDaemon <APSSystemUser: 0x7f81cfe52340>: Changing status for uid 501 from logged out to logged in

Finally, the login keychain is opened (again, multiple times):
com.apple.securityd atomicfile loginwindow Security 0x61000007bd40 opened /Users/hoakley/Library/Keychains/login.keychain-db: 1572200 bytes
com.apple.securityd KCLogin loginwindow Security SecKeychainLogin result: 0, password was supplied

From then on, you can watch macOS starting up the very many user activities.

Fast user switching

Landmark log entries when you change user by means of fast switching, rather than logging out and in again, are broadly similar. A good overview is obtained from using the predicate
processImagePath CONTAINS[c] "com.apple.AccountPolicyHelper"
although because this switches between users, you will then see entries referring to both the previous and the next users, such as:
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.72.2) AuthenticationAllowed completed: record "tester", result: Success (0).
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.73.2) PasswordChangeAllowed completed: record "tester", result: Success (0).
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.74.2) PasswordChangeAllowed completed: record "hoakley", result: Success (0).
com.apple.AccountPolicyHelper com.apple.AccountPolicyHelper (115.75.2) AuthenticationAllowed completed: record "hoakley", result: Success (0).

You will then find it helpful to apply filters based on the user names.

As with logout and login, simply applying the predicate
subsystem == "com.apple.securityd"
will return a large number of entries, but filtering them with login.keychain-db: quickly shows login keychain activity.

AccountPolicyHelper serials

Apply the predicate
processImagePath CONTAINS[c] "com.apple.AccountPolicyHelper"
and you should notice a striking and potentially very useful feature: messages from AccountPolicyHelper start with a serial number, of the form
(115.123.2)
where the middle number, here 123, increments with each new message from AccountPolicyHelper. I do not know whether the first and third numbers change, or why they might change, but this serial number appears a good way of establishing that the log has not been tampered with, and the sequence of those entries irrespective of their timestamps.

loginlog1

If you have discovered anything further which is of use from these processes, please let us know in a comment below.

Share this:

  • Twitter
  • Facebook
  • Reddit
  • Pinterest
  • Email
  • Print

Like this:

Like Loading...

Related

Posted in Macs, Technology and tagged AccountPolicyHelper, Consolation, keychain, log, log in, logs, macOS, security, securityd, Sierra. Bookmark the permalink.

6Comments

Add yours
  1. 1
    Kevin T on May 3, 2018 at 5:56 pm

    Question for you on all of this. This looks fantastic as I’m trying to figure out a way to use a script to capture when a user fails to authenticate 5 times in a row indicating an account lockout. I don’t seem to have any of the events that you have listed here. Do you know if this guide is still applicable to Mac OS High Sierra 10.13.3 or 10.13.4? The only authentication events that I can find that seem to be related say “0DErrorCredentialsInvalid”. I can’t find any with errors (5000). The frustrating thing is the seemingly random number of events generated here. I mistyped my password (as a test) 4 times and I get 7 messages that I indicated above. Any ideas? Thanks so much!

    LikeLiked by 1 person

    • 2
      hoakley on May 3, 2018 at 6:04 pm

      I haven’t yet looked at recent versions of High Sierra in this respect.
      Unfortunately, Apple doesn’t see the unified log as a tool for any security tools, such as yours. This makes it very hard to write them, and when you do, you’ll find that the next update changes all the messages which your tool has relied on.
      The strategy that I use for looking at events like this is to time them carefully, then using Consolation 3 capture all log entries for around 5 seconds before and 25 seconds after the event time. You can then use the app’s own filtering to look for specific message content, if there are a lot of log entries to view. That saves having to keep re-running the log show command within it, and is much quicker.
      I wish you success,
      Howard.

      LikeLike

      • 3
        ktwingstrom on May 3, 2018 at 7:17 pm

        So this is to say that these types of events that you found above are only logged if you use Consolation to specifically capture them? I had thought that I can use the log show command to show default logs already collected by the OS. Is it neccesary to use Consolation? I haven’t look at it before. I’m basically just setting a –start and –end flag to limit my log show command to about 60 seconds at a time and to ensure I search across all logs I don’t use any other switches I’m just passing it to | grep. So one search I’ve been trying is:

        log show –last 60s –style syslog | grep -i ‘opendiretoryd.*(PlistFile)’

        LikeLike

      • 4
        hoakley on May 3, 2018 at 7:38 pm

        No: Consolation calls the log show command to get its log extracts (there is no alternative). However, log show is often slow to return results. Consolation 3 has a feature which filters the log entries it has already obtained using log show. You can even use regex filters for them if you want. The results are almost instantaneous, so much quicker than each time working out a new log show command with its predicate and then waiting for it to return its results.
        Not only that, but log show has limited output formats – syslog and and its new default are the only human-readable options. Consolation can work directly on JSON output, which gives you much greater flexibility in formatting the display, etc.
        I have a lot of articles here about getting the best out of the unified log, including using Consolation and Woodpile. Even when you’re skilled at building predicates, log show is a very crude and slow way to explore the unified log.
        Howard.

        LikeLike

      • 5
        ktwingstrom on May 3, 2018 at 8:09 pm

        Yes I have read most of the articles you have about logging, very helpful! FWIW I have been able to use what you wrote before to find what I thought was a reliable way to detect a violation of the max auth attempts policy we employ where I work, but once we rolled it out to our fleet of Macs we started getting some false positives so I’m looking for a new way. Thanks for your help with all of this, I believe the reason for the change is we’ve gone from Sierra to High Sierra. Seems using the unified log is not a super reliable method for this, I’m looking at other options.

        LikeLiked by 1 person

      • 6
        hoakley on May 3, 2018 at 8:12 pm

        Have you looked at OpenBSM? It’s not perfect by any means, but what a lot of corporate users rely on, I gather.
        Howard.

        LikeLike

·Comments are closed.

Quick Links

  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • Painting topics
  • Painting
  • Life
  • Language

Search

Monthly archives

  • December 2019 (18)
  • November 2019 (74)
  • October 2019 (89)
  • September 2019 (80)
  • August 2019 (91)
  • July 2019 (95)
  • June 2019 (88)
  • May 2019 (91)
  • April 2019 (79)
  • March 2019 (78)
  • February 2019 (71)
  • January 2019 (69)
  • December 2018 (79)
  • November 2018 (71)
  • October 2018 (78)
  • September 2018 (76)
  • August 2018 (78)
  • July 2018 (76)
  • June 2018 (77)
  • May 2018 (71)
  • April 2018 (67)
  • March 2018 (73)
  • February 2018 (67)
  • January 2018 (83)
  • December 2017 (94)
  • November 2017 (73)
  • October 2017 (86)
  • September 2017 (92)
  • August 2017 (69)
  • July 2017 (81)
  • June 2017 (76)
  • May 2017 (90)
  • April 2017 (76)
  • March 2017 (79)
  • February 2017 (65)
  • January 2017 (76)
  • December 2016 (75)
  • November 2016 (68)
  • October 2016 (76)
  • September 2016 (78)
  • August 2016 (70)
  • July 2016 (74)
  • June 2016 (66)
  • May 2016 (71)
  • April 2016 (67)
  • March 2016 (71)
  • February 2016 (68)
  • January 2016 (90)
  • December 2015 (96)
  • November 2015 (103)
  • October 2015 (119)
  • September 2015 (115)
  • August 2015 (117)
  • July 2015 (117)
  • June 2015 (105)
  • May 2015 (111)
  • April 2015 (119)
  • March 2015 (69)
  • February 2015 (54)
  • January 2015 (39)

Tags

Adobe APFS Apple AppleScript App Store backup Blake bug bugs Catalina Consolation Console Cézanne diagnosis Disk Utility Eastgate El Capitan extended attributes Finder firmware Flash Gatekeeper Gérôme High Sierra history history of painting iCloud Impressionism iOS landscape LockRattler log logs Mac macOS macOS 10.12 macOS 10.13 macOS 10.14 macOS 10.15 malware Metamorphoses Mojave Monet Moreau MRT myth narrative naturalism OS X OS X 10.11 Ovid painting PDF Pissarro Post-impressionism Poussin privacy realism Rubens Sargent scripting security Sierra Storyspace Swift symbolism Time Machine Turner update upgrade van Gogh vulnerability xattr Xcode XProtect

Statistics

  • 3,921,347 hits
Blog at WordPress.com.
Footer navigation
  • About & Contact
  • Macs
  • Painting
  • Language
  • Tech
  • Life
  • General
  • Downloads
  • Mac problem-solving
  • Extended attributes (xattrs)
  • xattr
  • Painting topics
  • Hieronymus Bosch
  • English language
  • LockRattler: 10.12 Sierra
  • LockRattler: 10.13 High Sierra
  • LockRattler: 10.11 El Capitan
  • Updates: El Capitan
  • Updates: Sierra, High Sierra, Mojave, Catalina
  • LockRattler: 10.14 Mojave
  • SilentKnight, silnite, LockRattler, SystHist & Scrub
  • DelightEd & Podofyllin
  • xattred, Sandstrip & xattr tools
  • 32-bitCheck & ArchiChect
  • Consolation, T2M2 and log utilities
  • Cirrus & Bailiff
  • Taccy, Signet, Precize, Alifix, UTIutility, alisma
  • Revisionist & DeepTools
  • Text Utilities: Nalaprop, Dystextia and others
  • PDF
  • Keychains & Permissions
  • LockRattler: 10.15 Catalina
  • Updates
Secondary navigation
  • Search

Post navigation

Degas’ Circle: Mary Cassatt, 2 Painter and print-maker
Danseuses: 1 Largely innocent

Begin typing your search above and press return to search. Press Esc to cancel.

Cancel
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: