You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > 330: Least Privilege Manager > Knowledge Base > 11: Mac Integration > 01: Logging guide for PolicyPak Least Privilege Manager for Mac Clients
01: Logging guide for PolicyPak Least Privilege Manager for Mac Clients
print icon
PPWeb Team
Apr 22, 2024
views icon 278

This guide will help you understand local Mac logging and also how to send those logs to PolicyPak Cloud if desired.

1: Understanding log files on the client

The PolicyPak logs are located in /Library/Application Support/PolicyPak/Logs. If requested by Support, zip up these three logs. As the customer, you can find useful information within policypakd.log and cloud.log (details below).

1.1: Understanding PolicyPakD.Log

This log shows every process that ran on the computer, everything. When installed, PolicyPak needs to monitor all processes on the endpoint to determine if there is a policy against that process and then acts upon it if necessary. This log shows those processes and the policy information if there is a policy.

No Existing Policy

Policy Exists

Part 1.2: Understanding Cloud.log

Cloud.log contains actioned items from the policypakd.log file; processes that ran by the user and were either Allowed, Elevated or Blocked by PolicyPak policies.

Please note, however, that to get a better understanding of how you policies are working, or not working, policypakd.log will give tell not only what processes were affected by policies, but also what processes weren’t – and may should have been.

Part 2: Setting up PolicyPak Cloud Groups for Event Collection

Having these logs locally is all well and good, put the power is in our ability to centrally store these logs and present the data in a more readable format.

Our Event Collector in the cloud can take these events, upload them to your PolicyPak cloud instance and allow you to pull reports based on this data.

Please note that is a paid extra service that is not enabled by default.

Event collection is part of the Group configuration. There are two types of groups that your endpoints can be a part of – BUILT-IN and COMPANY.

Built-in

Without going into too many details here, there are KB articles that do that, the main Built-in Group is the ALL group. Every endpoint that has an account will automatically be a member of Windows or, in this case, MacOSs All group. If this group is configured with Event Collection, all endpoints will send there cloud.log data up to the cloud.

Computer

Computer groups are created and configured by you, the PolicyPak cloud instance administrator. You specify what computer accounts are members here and thereby only those endpoints will upload load the data you specify in that group Event Collection configuration.

There are a few ways to add a computer to a group, but the most common way is directly through the group.

  • Highlight the group you want to add the computer(s) to

  • Click on Add/Remove Computer from Group (under Actions)

  • Click “Available Computers”

  • Check the ones to add and click “Add”

Event Collection Configuration

To configure Event Collection, highlight the group and click “Edit Group” under Actions. On the resulting pop-up window, click on the “Event Collector” tab.

The “Event submission interval” dictate how often the logs get uploaded to the cloud. This separate and distinct from the “Refresh interval for computers” on the previous tab that dictates how often the endpoint synchronizes the policies with the cloud.

You can also choose which events are collected and stored in the cloud. On large networks, this will save you from a lot of ‘noise’ when looking for specific things. We generally recommend starting will All events until you figure out what it is you want to see, and then just select the ones you want.

When “Selected” is selected, clicking on the Info icon will bring up a list of Event IDs that can be selected. In the image below I’ve highlighted the two Event types that I highlighted in the cloud.log example above.

Notes on Collection configuration:

  • When the ALL group is configured, all endpoints will receive the configuration.
  • When a Parent group is configured, all child groups will, by default, inherit the configuration as well. This behavior, however, can be altered to block inheritance.
  • If a computer is a member of multiple groups, the behavior is essentially accumulative. That is all selected IDs will be included and uploaded at the shortest interval set.

For more information, please see the following KB article -> https://kb.policypak.com/kb/article/1228-how-can-i-keep-the-same-or-specify-different-parameters-for-event-collection-for-child-groups-how-does-a-computer-behave-if-a-member-of-multiple-groups/

Forcing Event submission

If you’re testing, or just want to upload the data immediately, you can force the upload of the cloud.log file with the following command:

Policypak cloud-push-logs

Note: this command can be run by a standard user. It does not require elevated or administrative rights to perform.

Part 3: Reporting on Collected Events

All the collected events can be accessed through the “Computers (Collected Events)” report on the Reports tab and selecting “PolicyPak Least Privilege Manager for macOS”

Next, configure the time period you want to report on. The default is the beginning of the day, but this can be altered to the desired start and stop time and date. Click “Show” to see the results.

The results can be filtered to show only the desired information. For example, show only specific computers or only Elevation events. Every column can be filtered by click on the ellipsis within the column header.

For offline analysis, the report can be exported to either Excel or, if very large, CSV format. This can be done before or after filtering.

Feedback
0 out of 0 found this helpful

close button
scroll to top icon