Logind
Overview
Section titled “Overview”Evidence: Logind
Description: Filter user login events
Category: System
Platform: macos
Short Name: lgnd
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”The logind process on macOS manages user login sessions and authentication events. It handles local and remote login attempts, session creation, and user credential validation. These events are critical for tracking user access to the system.
Data Collected
Section titled “Data Collected”This collector gathers structured data about logind.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract logind process events over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Logind’.
Forensic Value
Section titled “Forensic Value”Logind events are essential for investigating unauthorized access attempts, credential abuse, session hijacking, and establishing user activity timelines. They reveal login times, authentication methods, failed attempts, and session details crucial for incident response and user access auditing.