Apple Audit Logs

Overview

Evidence: Apple Audit Logs
Description: Collect Apple Audit Logs
Category: System
Platform: macos
Short Name: audl
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Apple audit logs record security-relevant events including execs, auth, and file operations. This data is essential for deep incident response and attribution.

Data Collected

This collector gathers structured data about apple audit logs.

Apple Audit Logs Data

Field	Description	Example
`AuditLogFile`	Audit Log File	Example value
`Version`	Version	123
`Event`	Event	Example value
`Modifier`	Modifier	123
`Time`	Time	2023-10-15 14:30:25+03:00
`Msec`	Msec	123
`AuditUID`	Audit UID	Example value
`UID`	UID	Example value
`GID`	GID	Example value
`RUID`	RUID	Example value
`RGID`	RGID	Example value
`PID`	PID	123
`SID`	SID	123
`TID`	TID	Example value
`Errval`	Errval	Example value
`Retval`	Retval	123
`SignerType`	Signer Type	123
`SigningID`	Signing ID	Example value
`TeamID`	Team ID	Example value
`CDHash`	CD Hash	Example value
`ExecArgs`	Exec Args	Example value
`FullPath`	Full Path	Example value
`Path`	Path	Example value

Collection Method

This collector copies /private/var/audit/* files and parses them using praudit -x -l, recording results into audit_log.

Forensic Value

This evidence is crucial for forensic investigations as it provides authoritative, structured audit records with process and identity context.