'doesn't have get-task-allow' in LogEntry

I’m sorry but I don’t understand your question. Here’s what I have so far:

• You’re working on the Mac.

• You’ve seen a specific log entry (doesn't have get-task-allow) in the system log.

Based on that log message is looks like a process, kav, is trying to manipulate a system process, opendirectoryd, via a debugging interface. That won’t work because system processes are protection via SIP.

Are you responsible for this kav process? If so, why do it need to manipulate opendirectoryd? If not, why are you concerned about this log entry.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Eskimo! Thanks for answering.

I'm trying to Fetch MAC system logs using swift in Xcode (OsLogStore Api). My Code is something like this to Print logs for the Past 1 minute.

func main() throws {
    let store = try OSLogStore.local()
    let interval = store.position(timeIntervalSinceEnd: -60.0)
    let entries = try store.getEntries(with: [], at: interval, matching: nil)
    for e in entries {
        print(e.date, e.composedMessage)
    }
}
try! main()

Reference for this code : Example code

As Expected I am getting some log like output. But this logs are not matching with the logs Showing in Console application. And also most of the log entries saying 'doesn't have get-task-allow' (This type of logs were not in Displayed in console). `

Sample Output when I executed the above swift code :

2021-08-24 08:04:56 +0000 initiating malware scan (activeRulesVersion: 11555676988044606669 lastScanVersion: 10415043430518216312 chgtime: 1628617978 lastFileScanTime: 1628619174 pid: 17339 info_path: /Users/test/Downloads/Xcode 2.app/Contents/PlugIns/DebuggerFoundation.ideplugin/Contents/MacOS/DebuggerFoundation proc_path: /Users/test/Downloads/Xcode 2.app/Contents/Developer/usr/bin/xcodebuild
2021-08-24 08:04:56 +0000 Starting malware scan for: /Users/test/Downloads/Xcode 2.app/Contents/PlugIns/DebuggerFoundation.ideplugin/Contents/MacOS/DebuggerFoundation
2021-08-24 08:04:56 +0000 Outer bundle for: /Users/test/Downloads/Xcode 2.app/Contents/PlugIns/DebuggerFoundation.ideplugin/Contents/MacOS/DebuggerFoundation is /Users/test/Downloads/Xcode 2.app
2021-08-24 08:04:56 +0000 Recording cache miss for /Users/test/Downloads/Xcode 2.app/Contents/PlugIns/DebuggerFoundation.ideplugin/Contents/MacOS/DebuggerFoundation
2021-08-24 08:04:56 +0000 macOSTaskPolicy: (kav) may not get the kernel task port: SIP is on and (kav) is not entitled or whitelisted
2021-08-24 08:04:56 +0000 macOSTaskPolicy: (kav) may not get the taskport of (launchd) (pid: 1): (launchd) is hardened, (launchd) doesn't have get-task-allow, (kav) is not a declared debugger
2021-08-24 08:04:56 +0000 macOSTaskPolicy: (kav) may not get the taskport of (UserEventAgent) (pid: 96): (UserEventAgent) is hardened, (UserEventAgent) doesn't have get-task-allow, (kav) is not a declared debugger

I need to Print a proper system log using Swift code. Is there any configuration that I am missing to achieve this goal?

I'm trying to Fetch MAC system logs using swift in Xcode

What version of macOS are you testing this on?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am using MAC Catalina OS and XCode 12 for Development

This is working for me. Specifically, I took your code from this post and put it in a command-line tool project created with Xcode 12.5 on macOS 11.5.2. I built and ran it from Xcode and it worked. I then transferred the tool to a 10.15.7 VM and ran it from Terminal. It worked there too.

And by “worked” I mean:

• It printed a lot of log messages.

• There was no sign of the get-task-allow messages that you saw.

Are you running your test as an admin user? That’s necessary for OSLog to access the relevant stuff.

Do you see any significant difference between my test approach and yours?

Can you retest on a ‘clean’ machine? Honestly, I suspect that there’s something about your environment that’s triggering this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes it worked fine in Other Catalina Machine , As you mentioned it might be an environment problem.

Is there any API or other options for Collecting logs from "pre MAC OS 10.15" (i.e. Before Catalina).

Yes it worked fine in Other Catalina Machine , As you mentioned it might be an environment problem.

Is there any API or other options for Collecting logs from "pre MAC OS 10.15" (i.e. Before Catalina).

So, I’ve interpreted the above to mean:

• Your consider the original issue closed.

• You’d like to ask a second question about pre-10.15 support.

Is that right? [That’s nothing wrong with asking new questions, I just want to confirm that I’ve understood you correctly.]

So, with regards collecting the log store on pre-10.15 machines, there’s certainly no API for that. The only option I can see is to run the log command-line tool with the collect subcommand.

ps I’m not a fan of using command-line tools as API but in this case it’s safe because you can use the API on 10.15 and later and you know that pre-10.15 systems won’t change significantly.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Your consider the original issue closed.

Yes, My First Issue was resolved and it can be considered as closed.

You’d like to ask a second question about pre-10.15 support.

Yeah, This was my second question and based on your answer it was clear to me that there was no API for pre-10.15 machines. I will try to implement log collect for pre-10.15

I was fed up searching an log Collection API for pre-10.15 . Thanks for your solution which would be helpful for me.

Is there any reason why Apple broke the Syslog forwarding (Syslog.conf) method in MAC which was there in the Earlier versions to collect all System Logs ? Now it was not effective as before.

Is there any reason why Apple broke the Syslog forwarding

The unified logging system has completely different goals from its predecessors (Apple System Log and, before that, syslog). The new goals are driven by the fact that the vast majority of Apple devices are not Macs sitting on someone’s desk in a managed environment — which is the traditional focus of logging systems — but rather unmanaged mobile devices (including iOS devices, obviously, but even on the Mac side of things the majority of machines we ship are laptops).

If you’re curious about the design philosophy behind this system, I recommend that you watch WWDC 2016 Session 721 Unified Logging and Activity Tracing. Unfortunately that’s no longer available on the developer web site, but if you hunt around on the ’net you can find a copy (or at least a transcript).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"