If you’ve tried looking in the unified log, you may have got the impression that everything that’s anything gets recorded there. Sadly, that’s not true, not by a long way, and many important events pass either without entry, or their vital information is censored by <private> so you can’t make any sense of it.
Crescendo is a freeware app written by ‘Super Hacker’ Stephen Davis which listens in to a wide range of system events and records their details. As a complement to the unified log, it’s an essential tool for anyone wanting to see what’s going on inside macOS, apps, and other processes. It’s also open source and written in Swift, so could be used to develop your own more specialist tool, although that isn’t simple as I’ll explain later.
Acquiring event information means going low down in macOS, something which might previously have been accomplished using a kernel extension (KEXT). For Crescendo, Stephen has used Catalina’s new Endpoint Security Framework in a new System Extension (yes, a SEXT). Although this may be uncharted territory for you, this actually makes it a whole load easier, even though you do still need to perform a little setting up before it works.
Move the Crescendo app to your Applications folder, and open it, giving approval to Gatekeeper as normal. It will then probably open a window and sit waiting for you to do something. This is the time to open the Security & Privacy pane. Then, in Crescendo’s window, click on the Start button at the top left. This will trigger a series of alerts.
The first is the result of the app trying to load its SEXT, which requires user approval. Dismiss that alert, and switch in and out of the General tab of the Security & Privacy pane until the Allow button appears so that you can approve loading of its SEXT.
Another alert informs you that you also need to add the SEXT to the Full Disk Access list in the Privacy tab. Click on OK here, and switch to the Full Disk Access list, where Crescendo System Extension (not the Crescendo app itself) should now be added to the list and await your ticking its checkbox to enable it.
Once that’s done, it’s good practice – and may be necessary anyway – to quit Crescendo and open it again. Clicking on the Start button should now start collecting event entries in that window. If it doesn’t, step back through and check that the SEXT itself has Full Disk Access.
The front end in Crescendo does what it needs but lacks some refinements such as a resizeable window, at present. You can display all events, and those specifically for files, processes and the network. You can show just those from unsigned processes, which might include malware perhaps, and you can exclude those from Apple’s processes.
Events are listed with timestamps (in ticks, not a regular datestamp), the class and type of event, user name, process ID, the normal name of the process, and its ID. Fuller details are given in the bottom view, which will help you correlate an event with a log entry, for example. If you want to do that, you’ll need to use Ulbow or Consolation’s custom styles to display field 1, the machTimestamp, which should match exactly.
As an example, I launched my app SilentKnight, and watched the events step through the launch process, opening its preference settings, connecting with Apple’s software update servers, and the app performing its own signature checks. Although much of those steps are well-covered in the unified log, they can be hard to trace there because of <private> censorship, which leaves you guessing what specific log entries refer to.
Stephen has generously provided Crescendo in full source, enabling you to use it as the basis for custom apps of your own. Here though are some snags: you’ll not only need to be able to sign the app and the SEXT within it, but you’ll also need a special entitlement from Apple to use the Endpoint Security Framework, and notarize your product. So if you do want to use this source code as a basis for your own custom app, there are still plenty of hurdles to overcome.
Crescendo now sits next to Ulbow in my Dock. You’ll hear more in the future from the insights which it enables. Thank you, Stephen.