Unified Logging in macOS

With the introduction of “Unified Logging” in macOS 10.12 Sierra, one can use the log command to view system log messages in a terminal. For example

sudo log stream


sudo log stream –process `pgrep -f /usr/local/bin/myprogram` –info –debug


log show –predicate ‘process == “myprogram”‘ –last 1h –info –debug

sudo log stream –info –predicate ‘ eventMessage contains “password”‘ –last 15m > /Users/promin/Desktop/loggs/

——— This will pull incorrect password attempts ———-
sudo log show –info –predicate ‘ eventMessage contains “incorrect password attempt”‘ –last 15m > /Users/promin/Desktop/loggs/lol.txt

log show –info –predicate ‘ eventMessage contains “login”‘ –last 3d > /Users/promin/Desktop/loggs

log show –info –predicate ‘ eventMessage contains “sudo”‘ –last 3d > /Users/promin/Desktop/loggs

———— LINKS



Global policies apply to both admin users and regular users in macOS. Be careful when you set your policies so that you don’t inadvertently lock out admin users.

Use these steps to unlock affected user accounts, including admin users.
If you lock out an Open Directory admin

In Terminal, use this command:

sudo pwpolicy -n /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi clearaccountpolicies 

If you lock out a local admin

Start the computer in single user mode. To start in single user mode, hold Command-S at startup.

Use the following commands to remove the global password policy when the shell prompt appears:

/sbin/fsck -fy

/sbin/mount -uw /

/bin/launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist

/usr/bin/pwpolicy -n /Local/Default clearaccountpolicies
After entering the commands, press Control-D to restart the computer normally.

Reset the Open Directory administrator password

Reset the Open Directory administrator password

You can reset the Open Directory administrator password for macOS Server without affecting user data. If an administrator departs without leaving their password, this is the best way to access their account.

On the Open Directory server, open Terminal and use this command:
ldapsearch -LLL -x -H ldap:// -s base namingContexts
In the output, look for the dc= entries, such as dc=ldap1,dc=example,dc=com. Note these entries.

Log in to the server as an administrator.

Open Terminal, then use the following command. Replace the sample dc= entries with the entries you noted before. Also, if the directory administrator account’s uid is not diradmin, change the command accordingly.

sudo ldappasswd -x -H ldapi://%2Fvar%2Frun%2Fldapi -S uid=diradmin,cn=users,dc=ldap1,dc=example,dc=com

Enter your administrator account password when prompted.

At the “New Password:” prompt, enter the new directory administrator password you want to use. Enter it again when prompted.