Pro plugin
Unified Logs
Preserves macOS Unified Logging stores (/var/db/diagnostics, /var/db/uuidtext), generates a sealed .logarchive via `log collect`, and renders six predicate-filtered NDJSON event extracts (auth, usb, network, exec, xprotect, tcc) via `log show`.
system.unifiedlogsPromacOS 10.15+v1.0.0systemlogsdiagnosticRun this plugin
Trigger collection for Unified Logs on its own with the --plugin flag, or include it in a wider sweep by category.
# Just this plugin
macfor-pro collect --plugin system.unifiedlogs --output ./evidence.zip
# Dry run — list what would be collected
macfor-pro collect --plugin system.unifiedlogs --dry-runCompatibility
- macOS 10.15+
Licensing: ships in the macfor-pro binary. See Community vs Pro.
Artifacts collected (3)
Each row corresponds to an entry in the plugin's artifacts.yaml manifest. Optional artifacts are skipped unless explicitly enabled.
logs
| Artifact | Format | Path | Notes |
|---|---|---|---|
Unified Logs Raw Store unifiedlogs_raw_store | directory | /var/db/diagnostics+1 more
| Binary tracev3 + uuidtext + dsc files; opaque to macfor but preserved for defensibility and independent parsing. |
Unified Logs Archive unifiedlogs_logarchive | directory | unifiedlogs/logs.logarchive | .logarchive bundle — directory containing diagnostics + uuidtext + dsc + timesync + Info.plist. Rendered via `log show`. |
Unified Logs Events unifiedlogs_events | jsonl | unifiedlogs/events/*.ndjson | One NDJSON file per preset. Each line is a structured log event with timestamp, subsystem, category, process, and message fields. |