Couldnt generate ES_EVENT_TYPE_NOTIFY_AUTHENTICATION events with endpoint security

I wrote a program to receive the notify events from endpoint security framework. ES_EVENT_TYPE_NOTIFY_AUTHENTICATION event is not notified/logged in any scenario. Please help me with the information on when does mac generate or notify this event.

Up vote post of akshay_vyas_v Down vote post of akshay_vyas_v
450 views
Posted by
akshay_vyas_v
Reply
Add a Comment

Replies

The first step in investigating problems like this is to try them out with eslogger. If it can see the event, you know that the problem is with your ES client code. So, can you see this event in eslogger.

See the eslogger man page for more on how to use it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for your help. I was able to identify the issue. The event was getting generated but it wasn't getting logged with the below code. I am trying to os_log all the fields from the event. os_log(OS_LOG_DEFAULT, "ES_EVENT_TYPE_NOTIFY_AUTHENTICATION success=%d type=%d audit_token=%d ppid=%d original_ppid=%d group_id=%d session_id=%d codesigning_flags=%d is_platform_binary=%d is_es_client=%d cdhash[20]=%s signing_id=%s team_id=%s executable=%s start_time=%ld responsible_audit_token=%d parent_audit_token=%d record_type=%s record_name=%s node_name=%s db_path=%s touchid.mode=%d touchid.has_uid=%d uid.uid=%d pubket_hash=%s token_id=%s kerberos_principal=%s autounlock.usernamme=%s autounlock.type=%d | EXIT: status: %d", msg->event.authentication->success, msg->event.authentication->type, msg->event.authentication->data.od->instigator->audit_token.val[0], msg->event.authentication->data.od->instigator->ppid, msg->event.authentication->data.od->instigator->original_ppid, msg->event.authentication->data.od->instigator->group_id, msg->event.authentication->data.od->instigator->session_id, msg->event.authentication->data.od->instigator->codesigning_flags, msg->event.authentication->data.od->instigator->is_platform_binary, msg->event.authentication->data.od->instigator->is_es_client, msg->event.authentication->data.od->instigator->cdhash, msg->event.authentication->data.od->instigator->signing_id.data, msg->event.authentication->data.od->instigator->team_id.data, msg->event.authentication->data.od->instigator->executable->path.data, msg->event.authentication->data.od->instigator->start_time.tv_sec, msg->event.authentication->data.od->instigator->responsible_audit_token.val[0], msg->event.authentication->data.od->instigator->parent_audit_token.val[0], msg->event.authentication->data.od->record_type.data, msg->event.authentication->data.od->record_name.data, msg->event.authentication->data.od->node_name.data, msg->event.authentication->data.od->db_path.data, msg->event.authentication->data.touchid->touchid_mode, msg->event.authentication->data.touchid->has_uid, msg->event.authentication->data.touchid->uid.uid, msg->event.authentication->data.token->pubkey_hash.data, msg->event.authentication->data.token->token_id.data, msg->event.authentication->data.token->kerberos_principal.data, msg->event.authentication->data.auto_unlock->username.data, msg->event.authentication->data.auto_unlock->type, msg->event.exit.stat);

Posted by
akshay_vyas_v
Up vote reply of akshay_vyas_v Down vote reply of akshay_vyas_v
Add a Comment

The event was getting generated but it wasn't getting logged with the below code.

Sadly, I can’t read your code. Please format it as a code block. See tips 5 and 6 in Quinn’s Top Ten DevForums Tips.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment