Extension attribute to search superman log file

_aDiedericks
Contributor

Hi there,

I've been trying to find a way to get an extension attribute in Jamf to look at "/Library/Management/super/super.log" for a line:

Parameter Error: You can not use both the --deadline-count-soft and --deadline-count-hard options at the same time. You must pick one deadline count behavior.

And report the result of true/false. I have a policy setup to uninstall and reinstall super from there.

2 ACCEPTED SOLUTIONS

AJPinto
Honored Contributor III

You would need to use macOS log predicates, and query macOS Event Logging which should not be done with an Extension Attribute. At least I would not recommend trying to parse event logs with an Extension Attribute. Terminal can open a log file with Vim or Nano, but those are text editors and there is not a way for them to tell you if a value is in the log.

 

You really want a tool that monitors macOS Event logs and notifies or redirects when a particular event happens. This is not something Jamf Pro can do, however Jamf Protect can. Jamf Protect can even trigger a Jamf Pro policy when it sees an event such as one to reinstall Super if you wanted.

View solution in original post

sdagley
Esteemed Contributor II

The request from @_aDiedericks was to check the "/Library/Management/super/super.log" log file, not the system log stream, so there is no need to query macOS Event Logging and a simple grep of the contents of that file like the EA below would do what they ask:

#!/bin/sh

LogToQuery="/Library/Management/super/super.log"

result="false"

if [ -e "$LogToQuery" ]; then
	errorFound=$(/usr/bin/grep '--deadline-count-soft and --deadline-count-hard' "$LogToQuery")
	if [ -n "$errorFound" ]; then
		result="true"
	fi
fi

echo "<result>$result</result>"

The caveat on using this EA is that once the error is in the super.log file it will _always_ return true, so the policy to re-install super should nuke the log file so it's not triggered repeatedly.

View solution in original post

4 REPLIES 4

AJPinto
Honored Contributor III

You would need to use macOS log predicates, and query macOS Event Logging which should not be done with an Extension Attribute. At least I would not recommend trying to parse event logs with an Extension Attribute. Terminal can open a log file with Vim or Nano, but those are text editors and there is not a way for them to tell you if a value is in the log.

 

You really want a tool that monitors macOS Event logs and notifies or redirects when a particular event happens. This is not something Jamf Pro can do, however Jamf Protect can. Jamf Protect can even trigger a Jamf Pro policy when it sees an event such as one to reinstall Super if you wanted.

sdagley
Esteemed Contributor II

The request from @_aDiedericks was to check the "/Library/Management/super/super.log" log file, not the system log stream, so there is no need to query macOS Event Logging and a simple grep of the contents of that file like the EA below would do what they ask:

#!/bin/sh

LogToQuery="/Library/Management/super/super.log"

result="false"

if [ -e "$LogToQuery" ]; then
	errorFound=$(/usr/bin/grep '--deadline-count-soft and --deadline-count-hard' "$LogToQuery")
	if [ -n "$errorFound" ]; then
		result="true"
	fi
fi

echo "<result>$result</result>"

The caveat on using this EA is that once the error is in the super.log file it will _always_ return true, so the policy to re-install super should nuke the log file so it's not triggered repeatedly.

Thanks! Your script works. I already had the policy configured to delete super.log after run, that should make this a self sustainable process. I just had to correct the LogToQuery reference directory as well as the grep search for some reason '--deadline-count-soft and --deadline-count-hard' just kept reporting false even though the log stated true. End result is as below:

#!/bin/sh

LogToQuery="/Library/Management/super/logs/super.log"

result="false"

if [ -e "$LogToQuery" ]; then
	errorFound=$(/usr/bin/grep 'You can not use both the --deadline-count-soft and --deadline-count-hard options at the same time. You must pick one deadline count behavior.' "$LogToQuery")
	if [ -n "$errorFound" ]; then
		result="true"
	fi
fi

echo "<result>$result</result>"



dlondon
Valued Contributor

I know it's a bit of a hammer approach, but wouldn't applying the corrected policy with right options to every machine fix your problem?