How To: Gather Log Files for Mac in Ivanti Endpoint Manager

Version 9

    Overview

    Ivanti Endpoint Manager (LANDesk) 2017.1 changes the way that Logging occurs on Managed Mac Devices:

     

    • The LANDESK.log no longer holds any relevant information on devices running MacOS 10.12 (Sierra) running an Ivanti 2017.1 Agent.
    • 2016.3 and older Agents are Unaffected.
    • OS X 10.11 (El Capitan) and older versions are Unaffected, even with a 2017.1 Agent installed.

     

    This is due to the new Unified Logging System provided by Apple. Previously, the majority of the Agent Activity was logged in the LANDesk.log, but some information ended up in the System.log or other logs. All logs are now in one place.

     

    Gathering Logs

    Mac Logging is now gathered via the Terminal by extracting logging information from the Unified Database.

     

    Terminal commands allow for Major Customization of the information to be extracted. For example, the following "generic" query will gather all information regarding the IEM (LANDesk) agent processes:

    log show --predicate 'processImagePath contains "LANDesk"' --debug --info --last 1d >> ~/Desktop/Landesk.log

    This query will grab any logging information (debug and info levels) including "LANDesk" in the "processImagePath" and place the output on the desktop. This is a similar log to what the LANDesk.log was in past versions and will look something like the following:

     

    Timestamp                       Thread     Type        Activity             PID    
    2017-04-21 06:50:49.112787-0700 0x564      Info        0x0                  93     ldscheduler: ldscheduler inFilterRange: returning 1 for task install-ldpatch.xml
    2017-04-21 06:50:49.113101-0700 0x564      Info        0x0                  93     ldscheduler: runCommand = /Library/Application\ Support/LANDesk/bin/vulscan -scanonly
    2017-04-21 06:50:49.116463-0700 0x5e9      Info        0x0                  106    lddispatch: Got ID size = 5
    2017-04-21 06:50:49.116530-0700 0x5e9      Info        0x0                  106    lddispatch: Got address size = 36
    2017-04-21 06:50:49.116572-0700 0x5e9      Info        0x0                  106    lddispatch: Got NULL size = 0
    2017-04-21 06:50:49.116610-0700 0x5e9      Info        0x0                  106    lddispatch: Got message size = 420
    2017-04-21 06:50:49.116646-0700 0x5e9      Info        0x0                  106    lddispatch: Start process on thread 4
    2017-04-21 06:50:49.158599-0700 0x5e9      Info        0x0                  106    lddispatch: Finish process on thread 4
    2017-04-21 06:50:49.158652-0700 0x5e9      Info        0x0                  106    lddispatch: Start listening on thread 4
    

     

    Narrowing the Results

    The log output above may provide more information than is necessary in some situations. The following are some of the more common Stream Types used to narrow the results.

     

    Logging Level

    1. Default - Requires no input. Default messages in output.
    2. Info - Shows info level messages in the output.
    3. Debug - Shows debug level messages in the output.

     

    Predicate Filters

    Predicates provide filtering options through general means. String values and ID's that appear in Logs can be queried against using Predicates. For more information, please refer to this Apple Programming Guide.

     

    • eventType - Used to find the type of event (logEvent, traceEvent, activityCreateEvent, etc.).
      • Example: log show --predicate 'eventType == activityCreateEvent and messageType == debug'

     

    • eventMessage - Matches the pattern within the message text, or activity name of a log/trace entry.
      • Example: log show --predicate 'eventMessage contains "Failure"' or eventMessage contains "failure"'

     

    • messageType - Matches the type of message for logEvent and traceEvent (used to show only Default, info, or Debug log types).
      • Example: log show --predicate 'messageType == debug'

     

    • processImagePath - Matches the pattern within the name of the process that originated the event.
      • Example: log show --predicate 'processImagePath CONTAINS "ldvdetect"' --style syslog --info --debug

    Predicates can be combined using "and" or "or" functions. Predicate queries are also case sensitive.

    Man Page

    The information shared here only begins to scratch the surface of Logging Customization available with the 2017.1 Agent.

     

    For more information, open a Mac Terminal and type log. Right-Click on log and select Open Man Page.

    Open Man Page.png

    A copy of the Man Page is attached to this document