macOS Logs
macOS Unified Logging is Apple's system-wide log framework capturing kernel, system and application telemetry on macOS hosts.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (23)
| Field | Type |
|---|---|
maclog.traceID Unique numeric identifier for this trace event. | plong |
maclog.eventMessage Human-readable log message describing the event. | text_general |
maclog.eventType Type or classification of the logged event. | text_general |
maclog.activityIdentifier Numeric identifier for the activity context. | plong |
maclog.subsystem Subsystem or module that generated the log. | text_general |
maclog.category Log category grouping similar messages. | text_general |
maclog.threadID Identifier of the thread where the event occurred. | plong |
maclog.userID Numeric user identifier associated with the event. | plong |
maclog.senderImageUUID UUID of the code image that sent the message. | string |
maclog.backtrace.frames.imageOffset List of offsets within each image for backtrace frames. | plong [] |
maclog.backtrace.frames.imageUUID List of UUIDs of images referenced in backtrace frames. | string [] |
maclog.bootUUID UUID of the system boot session. | string |
maclog.processImagePath Filesystem path to the process's executable image. | text_general |
maclog.timestamp Date and time when the log entry was created. | pdate |
maclog.senderImagePath Filesystem path to the sender code image. | text_general |
maclog.machTimestamp Kernel Mach timestamp for the event. | plong |
maclog.messageType Format or type of the log message. | text_general |
maclog.processImageUUID UUID of the process executable image. | string |
maclog.processID Process identifier (PID) generating the log. | plong |
maclog.senderProgramCounter Program counter value at the point of logging. | plong |
maclog.parentActivityIdentifier Identifier of the parent activity context. | plong |
maclog.timezoneName Name of the local timezone when logged. | text_general |
maclog.formatString Original format string used to generate the message. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.