Skip to main content
Solved

Extension attribute to search superman log file

_aDiedericks
Forum|alt.badge.img+8

Hi there,

I've been trying to find a way to get an extension attribute in Jamf to look at "/Library/Management/super/super.log" for a line:

Parameter Error: You can not use both the --deadline-count-soft and --deadline-count-hard options at the same time. You must pick one deadline count behavior.

And report the result of true/false. I have a policy setup to uninstall and reinstall super from there.

Best answer by AJPinto

You would need to use macOS log predicates, and query macOS Event Logging which should not be done with an Extension Attribute. At least I would not recommend trying to parse event logs with an Extension Attribute. Terminal can open a log file with Vim or Nano, but those are text editors and there is not a way for them to tell you if a value is in the log.

 

You really want a tool that monitors macOS Event logs and notifies or redirects when a particular event happens. This is not something Jamf Pro can do, however Jamf Protect can. Jamf Protect can even trigger a Jamf Pro policy when it sees an event such as one to reinstall Super if you wanted.

View original
    Did this topic help you find an answer to your question?

    4 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2725 replies
    • Answer
    • April 16, 2024

    You would need to use macOS log predicates, and query macOS Event Logging which should not be done with an Extension Attribute. At least I would not recommend trying to parse event logs with an Extension Attribute. Terminal can open a log file with Vim or Nano, but those are text editors and there is not a way for them to tell you if a value is in the log.

     

    You really want a tool that monitors macOS Event logs and notifies or redirects when a particular event happens. This is not something Jamf Pro can do, however Jamf Protect can. Jamf Protect can even trigger a Jamf Pro policy when it sees an event such as one to reinstall Super if you wanted.

    _aDiedericks
    1 person likes this
    • _aDiedericks
      _aDiedericks
    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3540 replies
    • April 17, 2024
    AJPinto wrote:

    You would need to use macOS log predicates, and query macOS Event Logging which should not be done with an Extension Attribute. At least I would not recommend trying to parse event logs with an Extension Attribute. Terminal can open a log file with Vim or Nano, but those are text editors and there is not a way for them to tell you if a value is in the log.

     

    You really want a tool that monitors macOS Event logs and notifies or redirects when a particular event happens. This is not something Jamf Pro can do, however Jamf Protect can. Jamf Protect can even trigger a Jamf Pro policy when it sees an event such as one to reinstall Super if you wanted.


    The request from @_aDiedericks was to check the "/Library/Management/super/super.log" log file, not the system log stream, so there is no need to query macOS Event Logging and a simple grep of the contents of that file like the EA below would do what they ask:

    #!/bin/sh LogToQuery="/Library/Management/super/super.log" result="false" if [ -e "$LogToQuery" ]; then errorFound=$(/usr/bin/grep '--deadline-count-soft and --deadline-count-hard' "$LogToQuery") if [ -n "$errorFound" ]; then result="true" fi fi echo "<result>$result</result>"

    The caveat on using this EA is that once the error is in the super.log file it will _always_ return true, so the policy to re-install super should nuke the log file so it's not triggered repeatedly.

    _aDiedericks
    1 person likes this
    • _aDiedericks
      _aDiedericks
    dlondon
    Forum|alt.badge.img+14
    • dlondon
    • Honored Contributor
    • 375 replies
    • April 18, 2024

    I know it's a bit of a hammer approach, but wouldn't applying the corrected policy with right options to every machine fix your problem?

    _aDiedericks
    Forum|alt.badge.img+8
    • _aDiedericks
    • Author
    • Contributor
    • 48 replies
    • April 18, 2024
    sdagley wrote:

    The request from @_aDiedericks was to check the "/Library/Management/super/super.log" log file, not the system log stream, so there is no need to query macOS Event Logging and a simple grep of the contents of that file like the EA below would do what they ask:

    #!/bin/sh LogToQuery="/Library/Management/super/super.log" result="false" if [ -e "$LogToQuery" ]; then errorFound=$(/usr/bin/grep '--deadline-count-soft and --deadline-count-hard' "$LogToQuery") if [ -n "$errorFound" ]; then result="true" fi fi echo "<result>$result</result>"

    The caveat on using this EA is that once the error is in the super.log file it will _always_ return true, so the policy to re-install super should nuke the log file so it's not triggered repeatedly.


    Thanks! Your script works. I already had the policy configured to delete super.log after run, that should make this a self sustainable process. I just had to correct the LogToQuery reference directory as well as the grep search for some reason '--deadline-count-soft and --deadline-count-hard' just kept reporting false even though the log stated true. End result is as below:

    #!/bin/sh LogToQuery="/Library/Management/super/logs/super.log" result="false" if [ -e "$LogToQuery" ]; then errorFound=$(/usr/bin/grep 'You can not use both the --deadline-count-soft and --deadline-count-hard options at the same time. You must pick one deadline count behavior.' "$LogToQuery") if [ -n "$errorFound" ]; then result="true" fi fi echo "<result>$result</result>"



    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings