Enable Private Data in Unified Logs (how-to guide)

cmdGriggs
New Contributor II

Hi All! I finally figured out how to enable (show) private data in Unified Logs in 10.15.3+ now that cmdReporter's private API tricks have been disabled and thought I should share.

You can load this config profile locally with no issue, but this config profile needs to be signed before uploading to Jamf with something like:

/usr/bin/security cms -S -Z "$SIGNING_CERTIFICATE" -i "$UNSIGNED_PROFILE_PATH" -o "$SIGNED_PROFILE_PATH"

Testing:

log stream --predicate '(subsystem == "com.apple.AccountPolicy")'

Unlock a system preference pane, you should not see any "<private>" entries and see full details about user and record type.

And here is the actual profile:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>ManagedClient logging</string>
      <key>PayloadEnabled</key>
      <true/>
      <key>PayloadIdentifier</key>
      <string>com.apple.logging.ManagedClient.1</string>
      <key>PayloadType</key>
      <string>com.apple.system.logging</string>
      <key>PayloadUUID</key>
      <string>ED5DE307-A5FC-434F-AD88-187677F02222</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>System</key>
      <dict>
        <key>Enable-Private-Data</key>
        <true/>
      </dict>
    </dict>
  </array>
  <key>PayloadDescription</key>
  <string>Enable Unified Log Private Data logging</string>
  <key>PayloadDisplayName</key>
  <string>Enable Unified Log Private Data</string>
  <key>PayloadIdentifier</key>
  <string>C510208B-AD6E-4121-A945-E397B61CACCF</string>
  <key>PayloadRemovalDisallowed</key>
  <false/>
  <key>PayloadScope</key>
  <string>System</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>D30C25BD-E0C1-44C8-830A-964F27DAD4BA</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>
1 REPLY 1

dlondon
Valued Contributor

Hi @cmdGriggs - does this still work for you?  On ventura it just gave the result below after I manually added the configuration profile on a test machine.  The log entries happened when I unlocked Directory Utility via System Settings > Users & Groups > Network account server > Edit

log stream --predicate '(subsystem == "com.apple.AccountPolicy")'
Filtering the log data using "subsystem == "com.apple.AccountPolicy""
Timestamp Thread Type Activity PID TTL
2024-03-26 10:23:40.684354+0800 0x773 Default 0xa4fe 128 0 opendirectoryd: (AccountPolicy) [com.apple.AccountPolicy:Framework] AuthenticationAllowed: Evaluation result for record "<private>", record type "dsRecTypeStandard:Users": Success
2024-03-26 10:23:40.688889+0800 0x773 Default 0xa519 128 0 opendirectoryd: (AccountPolicy) [com.apple.AccountPolicy:Framework] AuthenticationAllowed: Evaluation result for record "<private>", record type "dsRecTypeStandard:Users": Success