Full Metal Mac FullMetalMac.com
Logging & Diagnostics intermediate predicates security monitoring detection

Essential Log Predicates for macOS Security Monitoring

Ready-to-use log predicates for monitoring authentication, file access, network activity, malware detection, and privilege escalation

Published: Feb 14, 2026 10 min read

How to Use This Reference

This article is a curated collection of log show and log stream predicates focused on security monitoring. Each command is ready to copy and run. Adjust the --last time range to match your investigation window.

All commands assume you are running as an administrator. Some require sudo for access to system-level log data.

Tip: For live monitoring, replace log show --last <time> with log stream and add --level info or --level debug as needed. For persistent monitoring, pipe output to a file or forward to your SIEM.

Authentication and Login

Login Window Events

Monitor user login and logout activity, fast user switching, and screen lock:

log show --last 4h \
  --predicate 'subsystem == "com.apple.loginwindow"' \
  --style compact

Authorization and Privilege Prompts

Track every time a user is prompted for admin credentials (installing software, changing system settings, etc.):

log show --last 4h \
  --predicate 'subsystem == "com.apple.Authorization"' \
  --style compact

PAM Authentication

Monitor Pluggable Authentication Module activity, including SSH logins, su, and screen unlock:

log show --last 4h \
  --predicate 'process == "authorizationhost" OR eventMessage CONTAINS "PAM"' \
  --style compact

Failed Authentication Attempts

Isolate authentication failures that may indicate brute-force attacks or credential misuse:

log show --last 24h \
  --predicate '(subsystem == "com.apple.Authorization" OR subsystem == "com.apple.loginwindow") AND eventMessage CONTAINS[c] "fail"' \
  --style compact

SSH Login Activity

log show --last 24h \
  --predicate 'process == "sshd"' \
  --style compact

Kerberos and SSO

log show --last 4h \
  --predicate 'subsystem == "com.apple.Kerberos" OR subsystem == "com.apple.AppSSOAgent"' \
  --style compact

File System Access and Privacy (TCC)

TCC controls access to sensitive resources (camera, microphone, contacts, Full Disk Access). Monitor grant and deny decisions:

log show --last 4h \
  --predicate 'subsystem == "com.apple.TCC"' \
  --style compact

Sandbox Violations

Detect when applications attempt to access resources outside their sandbox:

log show --last 2h \
  --predicate 'process == "sandboxd"' \
  --style compact

Sandbox Denials with Process Detail

log show --last 2h \
  --predicate 'process == "sandboxd" AND eventMessage CONTAINS "deny"' \
  --style compact

Full Disk Access and Protected Data

log show --last 4h \
  --predicate 'subsystem == "com.apple.TCC" AND eventMessage CONTAINS[c] "kTCCServiceSystemPolicyAllFiles"' \
  --style compact

Network Activity

DNS Resolution

Monitor DNS queries and failures through mDNSResponder:

log show --last 1h \
  --predicate 'subsystem == "com.apple.mDNSResponder"' \
  --level info --style compact

Network Connections

Track new network connections and socket activity:

log show --last 1h \
  --predicate 'subsystem == "com.apple.networkd"' \
  --style compact

Network Content Filter (NEFilterManager)

Monitor network extension filtering decisions (relevant if you deploy content filters or endpoint security tools):

log show --last 2h \
  --predicate 'subsystem == "com.apple.networkextension" OR process == "nesessionmanager" OR process == "nehelper"' \
  --style compact

Firewall Events

log show --last 4h \
  --predicate 'subsystem == "com.apple.alf" OR process == "socketfilterfw"' \
  --style compact

VPN Connection Events

log show --last 4h \
  --predicate 'subsystem == "com.apple.networkextension" AND eventMessage CONTAINS[c] "VPN"' \
  --style compact

Wi-Fi Security Events

log show --last 2h \
  --predicate 'subsystem == "com.apple.WiFiManager" AND (eventMessage CONTAINS[c] "auth" OR eventMessage CONTAINS[c] "deauth" OR eventMessage CONTAINS[c] "disassoc")' \
  --style compact

Malware Detection and Code Signing

XProtect Activity

XProtect is Apple’s built-in malware signature scanner. Monitor scan results and definition updates:

log show --last 24h \
  --predicate 'subsystem == "com.apple.XProtect" OR process == "XProtect" OR process == "XProtectRemediatorMRT"' \
  --style compact

Gatekeeper Assessments

Track Gatekeeper decisions when applications are launched for the first time:

log show --last 4h \
  --predicate 'subsystem == "com.apple.syspolicy" OR process == "syspolicyd"' \
  --style compact

Notarization Checks

log show --last 4h \
  --predicate 'subsystem == "com.apple.syspolicy" AND eventMessage CONTAINS[c] "notariz"' \
  --style compact

AMFI (Apple Mobile File Integrity)

Monitor code signing validation and library injection prevention:

log show --last 2h \
  --predicate 'process == "amfid" OR (process == "kernel" AND eventMessage CONTAINS "AMFI")' \
  --style compact

Malware Remediation Tool (MRT / XProtect Remediator)

log show --last 24h \
  --predicate 'process CONTAINS "XProtectRemediator" OR process == "MRT"' \
  --style compact

Privilege Escalation

sudo Usage

Monitor every use of sudo across the system:

log show --last 24h \
  --predicate 'process == "sudo"' \
  --style compact

sudo Failures

Isolate failed sudo attempts (potential unauthorized escalation attempts):

log show --last 24h \
  --predicate 'process == "sudo" AND eventMessage CONTAINS "NOT"' \
  --style compact

AuthorizationExecuteWithPrivileges (Deprecated but Still Used)

Some legacy installers use this deprecated API. Its use is a red flag:

log show --last 24h \
  --predicate 'eventMessage CONTAINS "AuthorizationExecuteWithPrivileges"' \
  --style compact

Security Agent Prompts

The SecurityAgent process handles the GUI authorization dialogs:

log show --last 4h \
  --predicate 'process == "SecurityAgent"' \
  --style compact

Software Installation

Installer Activity

Monitor .pkg installations and their outcomes:

log show --last 4h \
  --predicate 'process == "installer" OR process == "installd"' \
  --style compact

Software Update Daemon

log show --last 12h \
  --predicate 'process == "softwareupdated" OR subsystem == "com.apple.SoftwareUpdate"' \
  --style compact

App Store Installations

log show --last 4h \
  --predicate 'subsystem == "com.apple.commerce" OR process == "appstored" OR process == "storedownloadd"' \
  --style compact

System Extension Installation

Monitor system extensions (endpoint security tools, network filters, driver extensions):

log show --last 4h \
  --predicate 'subsystem == "com.apple.sx" OR process == "sysextd"' \
  --style compact

MDM and Configuration Profiles

MDM Client Activity

Monitor MDM command receipt, processing, and status reporting:

log show --last 4h \
  --predicate 'subsystem == "com.apple.mdmclient"' \
  --style compact

MDM Errors Only

log show --last 24h \
  --predicate 'subsystem == "com.apple.mdmclient" AND messageType == error' \
  --style compact

Configuration Profile Operations

log show --last 4h \
  --predicate 'subsystem == "com.apple.ManagedClient"' \
  --style compact

Profile Installation and Removal

log show --last 12h \
  --predicate 'subsystem == "com.apple.ManagedClient" AND (eventMessage CONTAINS[c] "install" OR eventMessage CONTAINS[c] "remov")' \
  --style compact

APNS Push Notifications (MDM Push)

log show --last 4h \
  --predicate 'subsystem == "com.apple.apsd"' \
  --style compact

DEP / Automated Device Enrollment

log show --last 4h \
  --predicate 'subsystem == "com.apple.ManagedClient" AND eventMessage CONTAINS[c] "DEP"' \
  --style compact

Composite Security Monitoring Commands

“Something Bad Happened” Quick Scan

When you suspect compromise but do not know where to start, cast a wide net across security-relevant subsystems:

log show --last 1h \
  --predicate '(subsystem == "com.apple.Authorization" OR subsystem == "com.apple.TCC" OR process == "sandboxd" OR process == "sudo" OR process == "amfid" OR subsystem == "com.apple.syspolicy") AND (messageType == error OR messageType == fault)' \
  --style compact

All Errors and Faults System-Wide

log show --last 30m \
  --predicate 'messageType == error OR messageType == fault' \
  --style compact

Live Security Event Stream

Stream security-relevant events in real time during an active investigation:

log stream --level info \
  --predicate 'subsystem == "com.apple.Authorization" OR subsystem == "com.apple.TCC" OR process == "sandboxd" OR process == "sudo" OR subsystem == "com.apple.syspolicy" OR process == "amfid"' \
  --style compact

Building Custom Predicates

The commands in this reference cover common scenarios, but every environment is different. To build your own predicates:

  1. Identify the subsystem: Use Console.app’s Info panel or log show --last 5m --style ndjson | jq -r '.subsystem' | sort -u to discover active subsystems.
  2. Start broad, then narrow: Begin with just the subsystem filter, then add AND eventMessage CONTAINS clauses to focus.
  3. Test with a short time range: Use --last 5m to validate your predicate returns results before expanding to longer ranges.
  4. Save your predicates: Maintain a team-shared text file or wiki page of your custom predicates so colleagues can reuse them.

Security monitoring is only as good as the predicates you write. Invest time in building a library that covers your environment’s specific threat surface.

Related Articles

Mastering log show and log stream on macOS

Logging & Diagnostics · intermediate

macOS Unified Logging: The Complete Guide

Logging & Diagnostics · intermediate

Mac Admin Incident Response Checklist

Incident Response · intermediate