Best way to collect log files

jameson
Contributor II

When Mac users rapport issues, you always have to remove/walk to the user and typically the first you do is check log files

As far I remember during Jamf training, there is an option to get log files uploaded into the jamf backend in attachement ?. But cannot remember the details on this - but is there a way to do this?

12 REPLIES 12

jsherwood
Contributor

@jameson The API is your friend here...

You can upload files using the /fileuploads endpoint, the implementation notes from the API reference are as follows:

Implementation Notes You can POST different types of files by entering parameters for {resource}, {idType}, and {id}, for example /JSSResource/fileuploads/computers/id/2. Attachments can be uploaded by specifying computers, mobiledevices, enrollmentprofiles, printers, or peripherals as the resource. Icons can be uploaded by specifying policies, ebooks, or mobiledeviceapplicationsicon as the resource. A mobile device application can be uploaded by using mobiledeviceapplicationsipa. A disk encryption can be uploaded by specifying diskencryptionconfigurations as the resource. idTypes supported are id and name, although peripheral names are not supported. A sample command is curl -k -u user:password https://my.JamfPro:8443/JSSResource/fileuploads/computers/id/2 -F name=@/Users/admin/Documents/Sample.doc -X POST

rderewianko
Valued Contributor II

Years ago i wrote a script that did this through the api.. keep in mind all these methods do add space to your database..
https://github.com/pingidentity/CorpIT/tree/Main/JAMF%20Scripts/Diagnostic%20Logs

Granted if i was todo it again i'd upload it to s3, google drive or something else ;)

Edit: Found another version that does a bunch of checks
https://github.com/matt-taylor934/loguploader/blob/master/loguploader.sh

Brad_G
Contributor II

I found and modified a script that zips and uploads the log files to our file share where all of our techs have access. Not sure it's used much but it's another tool in the arsenal.

Here's where it came from: https://jamfnation.jamfsoftware.com/discussion.html?id=18971

Credit to @CAJensen01

mcgace
New Contributor III

@rderewianko Thanks, that Script works for me. One question, how can I modify the script to also zip the crash logs in ~/Library/Logs/DiagnosticReports/

8316637f26404e4b8c5b1ea96f066abe

nberanger
Contributor

I know this is a slightly older post, but incase anyone is looking on how to do this...

@kc9wwh Wrote a slick script that works like a charm for uploading files using the API. Check it out here:

https://github.com/kc9wwh/logCollection

brooke_burdick
New Contributor

@nberanger I feel like such a noob, but do you know where those collected log files go?! I run the script but no idea where to find them!

sdagley
Esteemed Contributor II

@brooke.burdick The https://github.com/kc9wwh/logCollection script uploads the collected logs to your JSS as an attachment to the Computer record for the device, and you'll find the Attachments section under the Computer's Inventory section. Be sure to delete any attachments after you download them since they do take space in your database, and the database backups made until they're deleted.

nberanger
Contributor

@sdagley You beat me to it ;-)

sdagley
Esteemed Contributor II

@nberanger I didn't (and still don't) see your ID as a link in the question @brooke.burdick posted, so thought the post may not have the appropriate tags embedded and you weren't going to get a notification.

melvinp
New Contributor

Dear @sdagley I have a cloud based Jamf Pro setup will it work in that as well ?

Because when I tried I get the Script Exit Code as 0 but in the JSS Inventory under Attachments I see no Attachments. Then via Terminal logs I see the following:

Melvin@Yen ~ % sudo jamf policy -id 59

Password:

Checking for policy ID 59...

Executing Policy logCollection.sh

Running script logCollection.sh...

Script exit code: 0

Script result:   adding: private/var/log/install.log (deflated 96%)

  adding: private/var/log/install.log.0.gz (deflated 25%)

  adding: private/var/log/jamf.log (deflated 91%)

  adding: private/var/log/system.log (deflated 86%)

  adding: private/var/log/system.log.0.gz (deflated 3%)

  adding: private/var/log/system.log.1.gz (deflated 3%)

  adding: private/var/log/system.log.2.gz (deflated 1%)

  adding: private/var/log/system.log.3.gz (deflated 0%)

  adding: private/var/log/system.log.4.gz (deflated 3%)

  adding: private/var/log/system.log.5.gz (deflated 2%)

  adding: private/var/log/system.log.6.gz (deflated 2%)

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   422  100   422    0     0   1032      0 --:--:-- --:--:-- --:--:--  1036

 

mismatched tag at line 10, column 2, byte 404:

<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>

Please continue your visit at our <a href="/">home page</a>.

</p>

=^

</body>

</html>

at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  5 3757k  100   422    5  191k    698   317k  0:00:11 --:--:--  0:00:11  322k

<html>

<head>

<title>Status page</title>

</head>

<body style="font-family: sans-serif;">

<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>

<p>The request requires user authentication</p>

<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>

Please continue your visit at our <a href="/">home page</a>.

</p>

</body>

</html>

 

Running Recon...

Retrieving inventory preferences from https://softcellprod.jamfcloud.com/...

Finding extension attributes...

Locating applications...

Locating hard drive information...

Locating accounts...

Locating package receipts...

Searching path: /System/Applications

Locating software updates...

Locating printers...

Gathering application usage information from the JamfDaemon...

Searching path: /Applications

Locating hardware information (macOS 13.4.1)...

Submitting data to https://softcellprod.jamfcloud.com/...

<computer_id>12</computer_id>

Submitting log to https://softcellprod.jamfcloud.com/

 

Can you please help?

melvinp
New Contributor

Dear @sdagley I tried and I am getting the below error:

Melvin@Yen ~ % sudo jamf policy -id 59

Password:

Checking for policy ID 59...

Executing Policy logCollection.sh

Running script logCollection.sh...

Script exit code: 0

Script result:   adding: private/var/log/install.log (deflated 96%)

  adding: private/var/log/install.log.0.gz (deflated 25%)

  adding: private/var/log/jamf.log (deflated 91%)

  adding: private/var/log/system.log (deflated 86%)

  adding: private/var/log/system.log.0.gz (deflated 3%)

  adding: private/var/log/system.log.1.gz (deflated 3%)

  adding: private/var/log/system.log.2.gz (deflated 1%)

  adding: private/var/log/system.log.3.gz (deflated 0%)

  adding: private/var/log/system.log.4.gz (deflated 3%)

  adding: private/var/log/system.log.5.gz (deflated 2%)

  adding: private/var/log/system.log.6.gz (deflated 2%)

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   422  100   422    0     0   1032      0 --:--:-- --:--:-- --:--:--  1036

 

mismatched tag at line 10, column 2, byte 404:

<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>

Please continue your visit at our <a href="/">home page</a>.

</p>

=^

</body>

</html>

at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

  5 3757k  100   422    5  191k    698   317k  0:00:11 --:--:--  0:00:11  322k

<html>

<head>

<title>Status page</title>

</head>

<body style="font-family: sans-serif;">

<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>

<p>The request requires user authentication</p>

<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>

Please continue your visit at our <a href="/">home page</a>.

</p>

</body>

</html>

 

Running Recon...

Retrieving inventory preferences from https://softcellprod.jamfcloud.com/...

Finding extension attributes...

Locating applications...

Locating hard drive information...

Locating accounts...

Locating package receipts...

Searching path: /System/Applications

Locating software updates...

Locating printers...

Gathering application usage information from the JamfDaemon...

Searching path: /Applications

Locating hardware information (macOS 13.4.1)...

Submitting data to https://softcellprod.jamfcloud.com/...

<computer_id>12</computer_id>

Submitting log to https://softcellprod.jamfcloud.com/

sdagley
Esteemed Contributor II

@melvinp Please see my response to the message you posted in https://community.jamf.com/t5/jamf-pro/retrieve-system-logs/m-p/295436#M261871 I don't know for sure the issue is Basic Auth instead of Bearer Token Auth but that's where I would start. I don't use that script anymore and I don't have the free time at the moment to make the needed revisions for you.