Ivanti Endpoint Manager (LANDesk) 2017.1 changes the way that Logging occurs on Managed Mac Devices:
- The LANDESK.log no longer holds any relevant information on devices running MacOS 10.12 (Sierra) running an Ivanti 2017.1 Agent.
- 2016.3 and older Agents are Unaffected.
- OS X 10.11 (El Capitan) and older versions are Unaffected, even with a 2017.1 Agent installed.
This is due to the new Unified Logging System provided by Apple. Previously, the majority of the Agent Activity was logged in the LANDesk.log, but some information ended up in the System.log or other logs. All logs are now in one place.
Mac Logging is now gathered via the Terminal by extracting logging information from the Unified Database.
Terminal commands allow for Major Customization of the information to be extracted. For example, the following "generic" query will gather all information regarding the IEM (LANDesk) agent processes:
log show --predicate 'processImagePath contains "LANDesk"' --debug --info --last 1d >> ~/Desktop/Landesk.log
This query will grab any logging information (debug and info levels) including "LANDesk" in the "processImagePath" and place the output on the desktop. This is a similar log to what the LANDesk.log was in past versions and will look something like the following:
Timestamp Thread Type Activity PID 2017-04-21 06:50:49.112787-0700 0x564 Info 0x0 93 ldscheduler: ldscheduler inFilterRange: returning 1 for task install-ldpatch.xml 2017-04-21 06:50:49.113101-0700 0x564 Info 0x0 93 ldscheduler: runCommand = /Library/Application\ Support/LANDesk/bin/vulscan -scanonly 2017-04-21 06:50:49.116463-0700 0x5e9 Info 0x0 106 lddispatch: Got ID size = 5 2017-04-21 06:50:49.116530-0700 0x5e9 Info 0x0 106 lddispatch: Got address size = 36 2017-04-21 06:50:49.116572-0700 0x5e9 Info 0x0 106 lddispatch: Got NULL size = 0 2017-04-21 06:50:49.116610-0700 0x5e9 Info 0x0 106 lddispatch: Got message size = 420 2017-04-21 06:50:49.116646-0700 0x5e9 Info 0x0 106 lddispatch: Start process on thread 4 2017-04-21 06:50:49.158599-0700 0x5e9 Info 0x0 106 lddispatch: Finish process on thread 4 2017-04-21 06:50:49.158652-0700 0x5e9 Info 0x0 106 lddispatch: Start listening on thread 4
Narrowing the Results
The log output above may provide more information than is necessary in some situations. The following are some of the more common Stream Types used to narrow the results.
- Default - Requires no input. Default messages in output.
- Info - Shows info level messages in the output.
- Debug - Shows debug level messages in the output.
Predicates provide filtering options through general means. String values and ID's that appear in Logs can be queried against using Predicates. For more information, please refer to this Apple Programming Guide.
- eventType - Used to find the type of event (logEvent, traceEvent, activityCreateEvent, etc.).
Example: log show --predicate 'eventType == activityCreateEvent and messageType == debug'
- eventMessage - Matches the pattern within the message text, or activity name of a log/trace entry.
Example: log show --predicate 'eventMessage contains "Failure"' or eventMessage contains "failure"'
- messageType - Matches the type of message for logEvent and traceEvent (used to show only Default, info, or Debug log types).
Example: log show --predicate 'messageType == debug'
- processImagePath - Matches the pattern within the name of the process that originated the event.
Example: log show --predicate 'processImagePath CONTAINS "ldvdetect"' --style syslog --info --debug
Predicates can be combined using "and" or "or" functions. Predicate queries are also case sensitive.
The information shared here only begins to scratch the surface of Logging Customization available with the 2017.1 Agent.
For more information, open a Mac Terminal and type log. Right-Click on log and select Open Man Page.
A copy of the Man Page is attached to this document