diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2361cec1eda..ba86d79925a 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -312,6 +312,7 @@ /packages/lumos @elastic/security-service-integrations /packages/lyve_cloud @elastic/security-service-integrations /packages/m365_defender @elastic/security-service-integrations +/packages/macos @elastic/sec-linux-platform /packages/mattermost @elastic/security-service-integrations /packages/memcached @elastic/obs-infraobs-integrations /packages/menlo @elastic/security-service-integrations diff --git a/packages/macos/_dev/build/build.yml b/packages/macos/_dev/build/build.yml new file mode 100644 index 00000000000..b2596b96490 --- /dev/null +++ b/packages/macos/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v9.2.0 diff --git a/packages/macos/_dev/build/docs/README.md b/packages/macos/_dev/build/docs/README.md new file mode 100644 index 00000000000..87bcef05836 --- /dev/null +++ b/packages/macos/_dev/build/docs/README.md @@ -0,0 +1,143 @@ +# macOS Integration for Elastic + +## Overview + +The macOS integration for Elastic allows you to collect and analyze unified logs from macOS systems. This integration leverages macOS's unified logging system to provide comprehensive visibility into system activities, security events, and application behaviors on macOS endpoints. + +macOS unified logging is Apple's centralized logging system that captures log messages from the kernel, system processes, and applications. This integration enables security teams to monitor macOS endpoints for suspicious activities, troubleshoot system issues, and maintain compliance with security policies. + +### Compatibility + +The macOS integration is compatible with macOS systems that support unified logging (macOS 10.12 Sierra and later). + +### How it works + +This integration uses the `unifiedlogs` input to collect log data from the macOS unified logging system. It can collect logs in real-time or from archived log files, with configurable filtering based on predicates, processes, and log levels. + +## What data does this integration collect? + +This integration collects unified log messages from macOS systems using configurable predicates to filter specific event types, including: + +- **Authentication logs**: User login/logout events, authentication failures, and credential-related activities + ``` + - 'process contains "sudo" OR composedMessage CONTAINS "sudo" OR process contains "su"' + - 'process contains "loginwindow" and composedMessage CONTAINS "sessionDidLogin"' + - 'process == "sshd"' + ``` +- **User & Account management**: User account creation, modification, and deletion events + ``` + - 'process == "sysadminctl" AND composedMessage CONTAINS "Creating user"' + - 'process == "dscl" AND composedMessage CONTAINS "create"' + - 'process == "sysadminctl" AND composedMessage CONTAINS "Deleting user"' + - 'process == "dscl" AND composedMessage CONTAINS "delete"' + - '(process == "dscl" OR process == "opendirectoryd") AND composedMessage CONTAINS "admin"' + ``` +- **Process execution monitoring**: Process creation, termination, and execution details + ``` + - 'eventMessage CONTAINS[c] "exec" OR eventMessage CONTAINS[c] "fork" OR eventMessage CONTAINS[c] "exited" OR eventMessage CONTAINS[c] "terminated"' + - 'subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid")' + - 'composedMessage CONTAINS "com.apple.quarantine"' + ``` +- **Network activity**: Network connections, DNS queries, and network-related events + ``` + - 'composedMessage CONTAINS "connect" AND (composedMessage CONTAINS "TCP" OR composedMessage CONTAINS "UDP")' + - 'composedMessage CONTAINS "disconnect" OR composedMessage CONTAINS "closed connection"' + - 'subsystem == "com.apple.necp" AND composedMessage CONTAINS "new connection"' + - 'eventMessage CONTAINS[c] "listening" AND eventMessage CONTAINS[c] "service"' + ``` +- **File reads/writes**: File system access, modifications, and permission changes + ``` + - '(eventMessage CONTAINS "open" OR eventMessage CONTAINS "write" OR eventMessage CONTAINS "unlink" OR eventMessage CONTAINS "rename") AND ((processImagePath BEGINSWITH "/System") OR (processImagePath BEGINSWITH "/bin") OR (processImagePath BEGINSWITH "/sbin") OR (processImagePath BEGINSWITH "/usr" AND NOT processImagePath BEGINSWITH "/usr/local") OR (processImagePath BEGINSWITH "/etc"))' + - 'subsystem == "com.apple.quarantine" OR eventMessage CONTAINS "com.apple.quarantine"' + ``` +- **System changes**: System configuration changes, software installations, and updates + ``` + - 'subsystem == "com.apple.security" OR subsystem == "com.apple.systempolicy" OR subsystem == "com.apple.installer" OR process == "Installer" OR process == "softwareupdated" OR eventMessage CONTAINS[c] "removed package" OR eventMessage CONTAINS[c] "forget package"' + ``` +- **Advanced monitoring**: Detailed system and application behavior logs + ``` + - '(composedMessage CONTAINS ".plist" AND (composedMessage CONTAINS "write" OR composedMessage CONTAINS "modified")) OR (composedMessage CONTAINS ".ssh" AND (composedMessage CONTAINS "write" OR composedMessage CONTAINS "modified")) OR (process == "kernel" AND composedMessage CONTAINS "boot") OR (process == "launchd" AND (composedMessage CONTAINS "started" OR composedMessage CONTAINS "listening")) OR (process == "loginwindow" AND composedMessage CONTAINS "sessionDidLogin") OR (composedMessage CONTAINS "posix_spawn" OR composedMessage CONTAINS "exec") OR (subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid"))' + ``` + +### Supported use cases +The macOS integration in Elastic enables comprehensive monitoring and analysis of system activities, network traffic, and application behavior across macOS devices. It supports use cases such as detecting security incidents, tracking network usage, auditing system events, and analyzing performance trends. By collecting and visualizing unified logs, it helps security and IT teams gain real-time visibility, identify anomalies, ensure compliance, and enhance overall endpoint security within macOS environments. + +## What do I need to use this integration? + +### From Elastic + +- Elastic Agent must be installed on the macOS system you want to monitor +- Appropriate permissions to read system logs on the macOS system + +### From macOS + +The integration requires: + +- macOS 10.12 Sierra or later (for unified logging support) +- Appropriate system permissions to access unified logs +- For some log categories, administrative privileges may be required + +## How do I deploy this integration? + +This integration requires Elastic Agent to be installed on the macOS systems you want to monitor. + +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +## Setup + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **macOS**. +3. Select the **macOS** integration from the search results. +4. Select **Add macOS** to add the integration. +5. Enable and configure only the collection methods which you will use. + + **Basic Configuration:** + - Enable the log categories you want to collect: + - Authentication + - User & Account management + - Process execution monitoring + - Network activity + - File reads/writes + - System changes + - Advanced monitoring + + **Advanced Configuration (Optional):** + - **Predicate**: Use NSPredicate-based filtering to collect specific log messages + - **Process**: Specify particular processes to monitor (by PID or name) + - **Start/End dates**: Define time ranges for historical log collection + - **Log levels**: Configure which log levels to include (info, debug, backtrace, signpost) + - **Archive/Trace files**: Specify log archive or trace files to process + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Dashboards populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **macOS**. +3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated. + +## Performance and scaling + +- Unified log collection can generate significant data volume, especially with debug-level logging enabled +- Consider using predicates to filter logs and reduce data volume +- Monitor system performance impact when collecting high-volume log categories + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### ECS field reference + +#### Unified logs + +{{fields "unified_log"}} + +### Inputs used + +These inputs can be used in this integration: + +- [Unified Logs](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-unifiedlogs) diff --git a/packages/macos/changelog.yml b/packages/macos/changelog.yml new file mode 100644 index 00000000000..a715f4ad047 --- /dev/null +++ b/packages/macos/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: 0.1.0 + changes: + - description: Initial release. + type: enhancement + link: https://github.com/elastic/integrations/pull/15794 diff --git a/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-common-config.yml b/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-unified.log b/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-unified.log new file mode 100644 index 00000000000..15386c92652 --- /dev/null +++ b/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-unified.log @@ -0,0 +1,30 @@ +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%s | ApplicationManager: Checked in app : %@","userID":501,"activityIdentifier":0,"subsystem":"com.apple.loginwindow.logging","category":"Standard","threadID":13692,"senderImageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF","backtrace":{"frames":[{"imageOffset":109999,"imageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF"}]},"bootUUID":"","processImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","senderImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","timestamp":"2025-10-09 12:02:22.345217+0530","eventMessage":"-[SessionLogoutManager buildSessionDictionary] | final sessionDictionary:{\n DirectLogoutType = 5;\n GroupID = 248;\n GuestAccount = 0;\n HomeDirectoryPath = \"\/var\/setup\";\n SessionAgentPID = 100;\n UserGUID = \"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\";\n UserID = 248;\n UserLongName = \"Setup User\";\n UserName = \"_mbsetupuser\";\n}","processImageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF","traceID":3714562696282116,"processID":1062,"senderProgramCounter":109999,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%s | shortUsername = %s, userID = %d, groupID = %d","userID":0,"activityIdentifier":0,"subsystem":"com.apple.loginwindow.logging","category":"Standard","threadID":778,"senderImageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF","backtrace":{"frames":[{"imageOffset":56811,"imageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","senderImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","timestamp":"2025-09-25 23:32:36.119492-0700","machTimestamp":191058676868,"eventMessage":"-[Login1 doLogin] | shortUsername = _mbsetupuser, userID = 248, groupID = 248","processImageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF","traceID":3508679143981060,"processID":100,"senderProgramCounter":56811,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%s | enter","userID":0,"activityIdentifier":0,"subsystem":"com.apple.loginwindow.logging","category":"Standard","threadID":13692,"senderImageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF","backtrace":{"frames":[{"imageOffset":75080,"imageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","senderImagePath":"\/System\/Library\/CoreServices\/loginwindow.app\/Contents\/MacOS\/loginwindow","timestamp":"2025-09-25 23:46:06.773373-0700","machTimestamp":1001013698208,"eventMessage":"-[Login1 isGuestAccount] | enter","processImageUUID":"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF","traceID":3412540596027396,"processID":1062,"senderProgramCounter":75080,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[%p] activating connection: mach=%{bool}d listener=%{bool}d peer=%{bool}d name=%{public}s","userID":200,"activityIdentifier":0,"subsystem":"com.apple.xpc","category":"connection","threadID":1051377,"senderImageUUID":"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C","backtrace":{"frames":[{"imageOffset":43862,"imageUUID":"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/system\/libxpc.dylib","timestamp":"2025-10-15 13:54:30.570794+0530","machTimestamp":730301634805240,"eventMessage":"[0x7fd20dafe350] activating connection: mach=false listener=false peer=true name=com.apple.softwareupdated.peer[24159].0x7fd20dafe350","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":6727155769933828,"processID":200,"senderProgramCounter":43862,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[%p] activating connection: mach=%{bool}d listener=%{bool}d peer=%{bool}d name=%{public}s","userID":200,"activityIdentifier":1606042,"subsystem":"com.apple.xpc","category":"connection","threadID":1131759,"senderImageUUID":"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C","backtrace":{"frames":[{"imageOffset":43862,"imageUUID":"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/system\/libxpc.dylib","timestamp":"2025-10-15 16:21:05.035457+0530","machTimestamp":739096082829937,"eventMessage":"[0x7fd20cffa690] activating connection: mach=false listener=false peer=false name=(anonymous)","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":6727155769999364,"processID":200,"senderProgramCounter":43862,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s %{public}s flags=%{network:tcp_flags}x seq=%u, ack=%u, win=%u state=%{network:tcp_state}x rcv_nxt=%u, snd_una=%u","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"tcp","threadID":1132254,"senderImageUUID":"C5739A55-A9D3-3AFB-9AC9-652E5799B536","backtrace":{"frames":[{"imageOffset":281600,"imageUUID":"C5739A55-A9D3-3AFB-9AC9-652E5799B536"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libusrtcp.dylib","timestamp":"2025-10-15 16:21:14.585700+0530","machTimestamp":739105633072605,"eventMessage":"tcp_output [C135.1.1:3] flags=[F.] seq=1475478968, ack=3781245868, win=3586 state=FIN_WAIT_1 rcv_nxt=3781245868, snd_una=1475478944","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":1202012843394990084,"processID":200,"senderProgramCounter":281600,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s %{public}s flags=%{network:tcp_flags}x seq=%u, ack=%u, win=%u state=%{network:tcp_state}x rcv_nxt=%u, snd_una=%u","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"tcp","threadID":1132254,"senderImageUUID":"C5739A55-A9D3-3AFB-9AC9-652E5799B536","backtrace":{"frames":[{"imageOffset":182769,"imageUUID":"C5739A55-A9D3-3AFB-9AC9-652E5799B536"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libusrtcp.dylib","timestamp":"2025-10-15 16:21:14.592962+0530","machTimestamp":739105640334157,"eventMessage":"tcp_input [C135.1.1:3] flags=[F.] seq=3781245892, ack=1475478968, win=502 state=CLOSED rcv_nxt=3781245868, snd_una=1475478944","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":1202012843394990084,"processID":200,"senderProgramCounter":182769,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"boringssl","threadID":1131560,"senderImageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249","backtrace":{"frames":[{"imageOffset":182440,"imageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libboringssl.dylib","timestamp":"2025-10-15 16:20:14.143657+0530","machTimestamp":739045191029769,"eventMessage":"nw_protocol_boringssl_signal_connected(753) [C135.1.1:2][0x7fd20d8891a0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(2443ms) flight_time(396ms) rtt(248ms) write_stalls(0) read_stalls(6)]","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":390070235526594564,"processID":200,"senderProgramCounter":182440,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]","userID":200,"activityIdentifier":1606042,"subsystem":"com.apple.network","category":"boringssl","threadID":1133904,"senderImageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249","backtrace":{"frames":[{"imageOffset":182440,"imageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libboringssl.dylib","timestamp":"2025-10-15 16:23:24.143463+0530","machTimestamp":739235190835402,"eventMessage":"nw_protocol_boringssl_signal_connected(755) [C258.1.1.1:2][0x8dec8a200] TLS connected [version(0x0304) ciphersuite(TLS_AES_128_GCM_SHA256) group(0x001d) signature_alg(0x0403) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(0) sct_received(0) connect_time(59ms) flight_time(56ms) rtt(56ms) write_stalls(0) read_stalls(2) pake(0x0000)]","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":390070235526660100,"processID":200,"senderProgramCounter":182440,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"boringssl","threadID":1133968,"senderImageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249","backtrace":{"frames":[{"imageOffset":182440,"imageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libboringssl.dylib","timestamp":"2025-10-15 16:23:32.687897+0530","machTimestamp":739243735270019,"eventMessage":"nw_protocol_boringssl_signal_connected(753) [C137.1.1:2][0x7fd20d957af0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(151ms) flight_time(50ms) rtt(49ms) write_stalls(0) read_stalls(6)]","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":390070235526594564,"processID":200,"senderProgramCounter":182440,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"boringssl","threadID":1133904,"senderImageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249","backtrace":{"frames":[{"imageOffset":182440,"imageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libboringssl.dylib","timestamp":"2025-10-15 16:23:38.141145+0530","machTimestamp":739249188517441,"eventMessage":"nw_protocol_boringssl_signal_connected(753) [C138.1.1.1:2][0x7fd210e793f0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(104ms) flight_time(49ms) rtt(49ms) write_stalls(0) read_stalls(6)]","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":390070235526594564,"processID":200,"senderProgramCounter":182440,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"boringssl","threadID":1133968,"senderImageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249","backtrace":{"frames":[{"imageOffset":182440,"imageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libboringssl.dylib","timestamp":"2025-10-15 16:23:44.589923+0530","machTimestamp":739255637295506,"eventMessage":"nw_protocol_boringssl_signal_connected(753) [C139.1.1:2][0x7fd20d839670] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(291ms) flight_time(42ms) rtt(41ms) write_stalls(0) read_stalls(7)]","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":390070235526594564,"processID":200,"senderProgramCounter":182440,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"boringssl","threadID":1133995,"senderImageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249","backtrace":{"frames":[{"imageOffset":182440,"imageUUID":"E8DA37CF-0F7A-38D1-8D87-3730FB158249"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libboringssl.dylib","timestamp":"2025-10-15 16:23:44.736956+0530","machTimestamp":739255784328873,"eventMessage":"nw_protocol_boringssl_signal_connected(753) [C140.1.1:2][0x7fd210ec0340] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(250ms) flight_time(53ms) rtt(53ms) write_stalls(0) read_stalls(4)]","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":390070235526594564,"processID":200,"senderProgramCounter":182440,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"Task <%{public,uuid_t}.16P>.<%lu> summary for %{public}s {transaction_duration_ms=%u, response_status=%ld, connection=%llu, protocol=\"%{public}@\", domain_lookup_duration_ms=%u, connect_duration_ms=%u, secure_connection_duration_ms=%u, private_relay=%{bool}d, request_start_ms=%u, request_duration_ms=%u, response_start_ms=%u, response_duration_ms=%u, request_bytes=%lld, response_bytes=%lld, cache_hit=%{bool}d}","userID":200,"activityIdentifier":0,"subsystem":"com.apple.CFNetwork","category":"Summary","threadID":1133995,"senderImageUUID":"31798E5A-30D3-381D-BC8D-F9AF4154382B","backtrace":{"frames":[{"imageOffset":987343,"imageUUID":"31798E5A-30D3-381D-BC8D-F9AF4154382B"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/System\/Library\/Frameworks\/CFNetwork.framework\/Versions\/A\/CFNetwork","timestamp":"2025-10-15 16:23:44.887310+0530","machTimestamp":739255934682331,"eventMessage":"Task .<76> summary for task success {transaction_duration_ms=646, response_status=200, connection=139, protocol=\"http\/1.1\", domain_lookup_duration_ms=42, connect_duration_ms=302, secure_connection_duration_ms=291, private_relay=false, request_start_ms=351, request_duration_ms=3, response_start_ms=644, response_duration_ms=1, request_bytes=1248, response_bytes=678, cache_hit=true}","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":405718141415718916,"processID":200,"senderProgramCounter":987343,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"%{public}s %{public}s \n\t[%{public,uuid_t}.16P %{sensitive}s:%{public}d<->%{sensitive}s:%{public}d]\n\tInit: %d, Conn_Time: %u.ums, SYNs: %u, WR_T: %d\/%d, RD_T: %d\/%d, TFO: %d\/%d\/%d, ECN: %d\/%d\/%d, Accurate ECN (client\/server): %s\/%s, TS: %d, TSO: %d\n\trtt_cache: %{public}s, rtt_upd: %d, rtt: %u.ums, rtt_var: %u.ums rtt_nc: %u.ums, rtt_var_nc: %u.ums base rtt: %ums\n\tACKs-compressed: %u, ACKs delayed: %u delayed ACKs sent: %u","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"tcp","threadID":1134682,"senderImageUUID":"C5739A55-A9D3-3AFB-9AC9-652E5799B536","backtrace":{"frames":[{"imageOffset":139368,"imageUUID":"C5739A55-A9D3-3AFB-9AC9-652E5799B536"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/usr\/lib\/libusrtcp.dylib","timestamp":"2025-10-15 16:25:41.285922+0530","machTimestamp":739372333294250,"eventMessage":"nw_protocol_tcp_log_summary [C138.1.1.1:3] \n\t[E6445355-3580-4882-BEB9-3116A7090D05 :63735<->:443]\n\tInit: 1, Conn_Time: 40.819ms, SYNs: 1, WR_T: 0\/0, RD_T: 0\/0, TFO: 0\/0\/0, ECN: 0\/0\/0, Accurate ECN (client\/server): Disabled\/Disabled, TS: 1, TSO: 1\n\trtt_cache: none, rtt_upd: 7, rtt: 126.375ms, rtt_var: 91.187ms rtt_nc: 126.375ms, rtt_var_nc: 91.187ms base rtt: 21ms\n\tACKs-compressed: 2, ACKs delayed: 0 delayed ACKs sent: 0","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":1201924813745291268,"processID":200,"senderProgramCounter":139368,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":735152,"subsystem":"com.apple.network","category":"connection","threadID":369636,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Library/PrivateFrameworks/AssetCacheServices.framework/Versions/A/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-06 13:54:22.228920+0530","machTimestamp":674887694139028,"eventMessage":"[C4 2078F1F7-050D-4E97-B216-93CB6C1E432E Hostname#2ab31f55:443 quic-connection, url hash: ad2c9e65, definite, no cellular, attribution: developer] cancelled\n\t[C4.1.1.1 7647497A-C8DC-4CB4-8104-3CD8282E82BB 192.168.29.221:61493<->IPv4#24e715a9:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 1.502s, DNS @0.002s took 0.158s, TCP @0.163s took 0.322s, TLS 1.3 took 0.681s\n\tbytes in/out: 4897/1279, packets in/out: 7/12, rtt: 0.304s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 6/3/0/0","processImageUUID":"A13B24FC-A7FE-39C0-80AC-BBB2E6C9A5C9","traceID":589370805553791000,"processID":1357,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":846881,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Library/PrivateFrameworks/Categories.framework/Versions/A/XPCServices/CategoriesService.xpc/Contents/MacOS/CategoriesService","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-10 17:31:03.902924+0530","machTimestamp":713875321568105,"eventMessage":"[C5 FDF72F57-8AF3-4FDB-BCBE-088778C53F56 Hostname#57dd9b6b:443 quic-connection, url hash: 63dc1356, definite, attribution: developer] cancelled\n\t[C5.1.1.1 3D5458F0-82A5-4042-ADD0-436BC06BC41A 81.2.69.192:61679<->IPv4#b63cfd75:443]\n\tConnected Path: unsatisfied (No network route)\n\tPrivacy Stance: Not Eligible\n\tDuration: 31.645s, DNS @0.000s took 0.046s, TCP @0.092s took 0.101s, TLS 1.3 took 0.356s\n\tbytes in/out: 11307/1134, packets in/out: 15/17, rtt: 0.091s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 6/6/0/0","processImageUUID":"3BDFA195-D1C8-38B1-9F8F-71DF40B5644F","traceID":589370805553725400,"processID":1358,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":989346,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Library/PrivateFrameworks/WebPrivacy.framework/Versions/A/webprivacyd","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-13 15:46:02.626846+0530","machTimestamp":725864856643286,"eventMessage":"[C3 B15E5A4C-0678-4AAE-966F-27EE4832CD2B Hostname#1b9ec12d:443 quic-connection, url hash: 6789733a, traffic class: 100, definite, no cellular, attribution: developer] cancelled\n\t[C3.1.1.1 7E1EAD37-5F78-439B-B3C0-DB0437036AEC 81.2.69.192:63744<->IPv4#f9ff2f4d:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 35.277s, DNS @0.008s took 0.036s, TCP @0.049s took 0.075s, TLS 1.3 took 0.282s\n\tbytes in/out: 4582/1794, packets in/out: 10/13, rtt: 0.072s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"820CBE50-DE8D-3C38-8714-04629EC16984","traceID":589370805553725400,"processID":2018,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":242,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1093082,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/usr/libexec/nsurlsessiond","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 15:09:14.100746+0530","machTimestamp":734785195723900,"eventMessage":"[C343 3E8A076A-D684-45AF-A52F-C51D5B28AFDF Hostname#e3feefa8:443 quic-connection, bundle id: com.apple.mobileassetd.client.trustd, url hash: 117a22f2, attribution: developer] cancelled\n\t[C343.1.1.1 18BBE472-4617-480B-BFFE-78CBBBD16009 81.2.69.192:64457<->IPv4#81585636:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.997s, DNS @0.047s took 0.101s, TCP @0.198s took 0.049s, TLS 1.3 took 0.250s\n\tbytes in/out: 4916/1483, packets in/out: 6/9, rtt: 0.087s, retransmitted bytes: 451, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"5CF1C24C-80AC-35A6-A065-986216BBD0B2","traceID":589370805553725400,"processID":198,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1109068,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 15:40:13.211900+0530","machTimestamp":736644276688203,"eventMessage":"[C353 EA9249FC-6CC1-49B8-8895-117CDF0CA0A7 gsp-ssl.ls.apple.com:443 quic-connection, url: https://gsp-ssl.ls.apple.com/ab.arpc, definite, attribution: developer] cancelled\n\t[C353.1.1.1 0FDAC462-E350-4084-AD16-F0165B29ED88 81.2.69.192:64518<->17.8.135.181:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 33.863s, DNS @0.001s took 0.021s, TCP @0.025s took 1.107s, TLS 1.3 took 1.518s\n\tbytes in/out: 8914/1264, packets in/out: 13/19, rtt: 0.748s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"0C03D38B-8986-3F1E-AE36-FBC14991D019","traceID":589370805553725400,"processID":1163,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1118427,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 15:59:06.346800+0530","machTimestamp":737777411588029,"eventMessage":"[C637 60307C5A-FC74-4BE5-8FCA-7D64E75C0C1E Hostname#41b68ffe:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: c942ec6a, definite, attribution: developer] cancelled\n\t[C637.1.1.1 5ABAFEC7-3104-4614-93B8-DCC011441D5E 81.2.69.192:64546<->IPv4#6054f3b2:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 240.157s, DNS @0.009s took 0.050s, TCP @0.063s took 0.014s, TLS 1.3 took 0.063s\n\tbytes in/out: 12467/2724, packets in/out: 15/18, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"A75D659A-3E6F-39F2-A0E8-E329D9A2EF12","traceID":589370805553725400,"processID":22858,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1120775,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 16:01:06.402509+0530","machTimestamp":737897409062445,"eventMessage":"[C695 FBD48CD5-8BEB-495D-9143-3D94CEFD897D Hostname#b8300d06:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: ba83d597, definite, proxy fail closed for unreachable, attribution: developer, third party web content] cancelled\n\t[C695.1.2.1 EDEEE996-8CF0-4BC9-BA34-7CD4ABA75E93 81.2.69.192:64554<->IPv4#60e4a0b3:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 178.192s, DNS @0.109s took 0.002s, TCP @0.113s took 0.026s, TLS 1.3 took 0.048s\n\tbytes in/out: 4359196/4145, packets in/out: 573/258, rtt: 0.036s, retransmitted bytes: 0, out-of-order bytes: 5816\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"A75D659A-3E6F-39F2-A0E8-E329D9A2EF12","traceID":589370805553725400,"processID":22858,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1120775,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 16:01:06.407407+0530","machTimestamp":737897413960372,"eventMessage":"[C693 4867D16B-268D-43E3-8FC5-C94DD80A1C80 Hostname#9d5a29e4:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: 38a58942, definite, attribution: developer, third party web content] cancelled\n\t[C693.1.1.1 5B6F7CDF-A595-46C0-AD7C-AB0A7A2DD3FF 81.2.69.192:64553<->IPv4#eef21366:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 193.203s, DNS @0.001s took 0.077s, TCP @0.081s took 0.017s, TLS 1.3 took 0.045s\n\tbytes in/out: 11782/1080, packets in/out: 9/14, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"A75D659A-3E6F-39F2-A0E8-E329D9A2EF12","traceID":589370805553725400,"processID":22858,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":501,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1131741,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/usr/libexec/nsurlsessiond","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 16:20:16.541036+0530","machTimestamp":739047588408621,"eventMessage":"[C66 D699D319-32C3-4543-803A-DCB7ED36A5F8 Hostname#0d5adf07:443 quic-connection, bundle id: com.apple.triald, url hash: 9e856d3a, traffic class: 100, no expensive, attribution: developer] cancelled\n\t[C66.1.1.1 F8FA4862-B203-490F-866E-BEC10DBEF962 81.2.69.192:64603<->IPv4#10574dec:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.549s, DNS @0.002s took 0.061s, TCP @0.067s took 0.016s, TLS 1.3 took 0.415s\n\tbytes in/out: 5629/3030, packets in/out: 8/16, rtt: 0.029s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"5CF1C24C-80AC-35A6-A065-986216BBD0B2","traceID":589370805553725400,"processID":1100,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":242,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1132574,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/usr/libexec/nsurlsessiond","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 16:21:27.886344+0530","machTimestamp":739118933716566,"eventMessage":"[C348 90B95967-CD66-4EDD-AD9E-5BA99B3B1C62 Hostname#ea5d1e75:443 quic-connection, bundle id: com.apple.mobileassetd.client.auto-asset-client, url hash: 69b0e59d, traffic class: 100, expected workload: 237568, no expensive, attribution: developer] cancelled\n\t[C348.1.1.1 A8214DA1-14D6-4867-BEAC-F70599E6E765 81.2.69.192:64626<->IPv4#3ec082bd:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.893s, DNS @0.001s took 0.045s, TCP @0.050s took 0.047s, TLS 1.3 took 0.348s\n\tbytes in/out: 248482/1060, packets in/out: 75/18, rtt: 0.048s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"5CF1C24C-80AC-35A6-A065-986216BBD0B2","traceID":589370805553725400,"processID":198,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu","userID":200,"activityIdentifier":0,"subsystem":"com.apple.network","category":"connection","threadID":1134682,"senderImageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E","backtrace":{"frames":[{"imageOffset":9418645,"imageUUID":"E481CDB0-9C0C-3BBC-87FA-006C66D3223E"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated","senderImagePath":"/System/Library/Frameworks/Network.framework/Versions/A/Network","timestamp":"2025-10-15 16:24:32.487263+0530","machTimestamp":739303534635293,"eventMessage":"[C137 5CADEB1D-0A08-4B41-B92D-B89BF308083E Hostname#3fba6d68:443 tcp, url hash: 15f2f095, tls, definite, attribution: developer] cancelled\n\t[C137.1.1 C84B1419-27A0-421C-8140-8478E1AC40F3 81.2.69.192:64673<->IPv4#14ad2c93:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 60.046s, DNS @0.000s took 0.045s, TCP @0.047s took 0.048s, TLS 1.3 took 0.151s\n\tbytes in/out: 515210/1012, packets in/out: 111/62, rtt: 0.135s, retransmitted bytes: 0, out-of-order bytes: 1242\n\tecn packets sent/acked/marked/lost: 0/0/0/0","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":589370805553725400,"processID":200,"senderProgramCounter":9418645,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"Attempting to rename power assertion %{public}d for target %{public}@ to %{public}@","userID":0,"activityIdentifier":1501972,"subsystem":"com.apple.runningboard","category":"ttl","threadID":918115,"senderImageUUID":"DDC01CB6-7CBF-312E-BDCF-D6EA20CF36C1","backtrace":{"frames":[{"imageOffset":33797,"imageUUID":"DDC01CB6-7CBF-312E-BDCF-D6EA20CF36C1"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/usr\/libexec\/runningboardd","senderImagePath":"\/System\/Library\/PrivateFrameworks\/RunningBoard.framework\/Versions\/A\/RunningBoard","timestamp":"2025-10-11 15:29:06.860717+0530","machTimestamp":719586938616305,"eventMessage":"Attempting to rename power assertion 39013 for target xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070] to xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070];118-1260-50086:[clock.WorldClockWidget-FF3B363AC5FD];118-1260-50125:[clock.WorldClockWidget-FF3B363AC5FD]","processImageUUID":"8590F6F5-F2F4-3CDE-921F-D9A358F6E6AD","traceID":1680285626859847684,"processID":118,"senderProgramCounter":33797,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"code signing internal problem: unexpected error from xpc: %s","userID":501,"activityIdentifier":0,"subsystem":"com.apple.securityd","category":"SecError","threadID":199743,"senderImageUUID":"AF38D16B-954C-3A9E-B0F7-5100DB3D566C","backtrace":{"frames":[{"imageOffset":2219233,"imageUUID":"AF38D16B-954C-3A9E-B0F7-5100DB3D566C"}]},"bootUUID":"AB156DC0-B7BC-4860-9E5C-A34A8BBE8699","processImagePath":"\/System\/Library\/Frameworks\/StoreKit.framework\/Support\/storekitagent","senderImagePath":"\/System\/Library\/Frameworks\/Security.framework\/Versions\/A\/Security","timestamp":"2025-10-21 15:27:16.289787+0530","machTimestamp":82458070242618,"eventMessage":"code signing internal problem: unexpected error from xpc: { count = 1, transaction: 0, voucher = 0x0, contents =\n\t\"XPCErrorDescription\" => { length = 18, contents = \"Connection invalid\" }\n}","processImageUUID":"63A2B64B-11CA-3ABA-94D7-3916A3BD8D08","traceID":232616665735757828,"processID":552,"senderProgramCounter":2219233,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"SecureTokenStatus users: admin %llu, admin w\/SecureToken %llu, admin w\/o SecureToken %llu, standard %llu, standard w\/SecureToken %llu, standard w\/o SecureToken %llu","userID":0,"activityIdentifier":80,"subsystem":"com.apple.opendirectoryd","category":"auth","threadID":5433,"senderImageUUID":"B327C6FB-1480-39ED-B23A-F3D283CBFA1E","backtrace":{"frames":[{"imageOffset":49542,"imageUUID":"B327C6FB-1480-39ED-B23A-F3D283CBFA1E"}]},"bootUUID":"AB156DC0-B7BC-4860-9E5C-A34A8BBE8699","processImagePath":"\/usr\/libexec\/opendirectoryd","senderImagePath":"\/System\/Library\/OpenDirectory\/Modules\/PlistFile.bundle\/Contents\/MacOS\/PlistFile","timestamp":"2025-10-20 16:35:06.999395+0530","machTimestamp":131200136411,"eventMessage":"SecureTokenStatus users: admin 1, admin w\/SecureToken 1, admin w\/o SecureToken 0, standard 1, standard w\/SecureToken 1, standard w\/o SecureToken 0","processImageUUID":"D8FEDD38-55EF-31D4-9A85-CC8ADF519F32","traceID":1597384271003652,"processID":134,"senderProgramCounter":49542,"parentActivityIdentifier":0} +{"timezoneName":"","messageType":"Default","eventType":"logEvent","source":null,"formatString":"Product Evaluation: %s (%s): Installation check failed: %s","userID":200,"activityIdentifier":1606042,"subsystem":"com.apple.SoftwareUpdate","category":"SoftwareUpdate","threadID":1131759,"senderImageUUID":"FFE66477-6648-38F8-997F-84A69295C606","backtrace":{"frames":[{"imageOffset":90555,"imageUUID":"FFE66477-6648-38F8-997F-84A69295C606"}]},"bootUUID":"218031E6-E47F-4A77-B7FC-5A57B049F4BC","processImagePath":"\/System\/Library\/CoreServices\/Software Update.app\/Contents\/Resources\/softwareupdated","senderImagePath":"\/System\/Library\/PrivateFrameworks\/SoftwareUpdate.framework\/Versions\/A\/SoftwareUpdate","timestamp":"2025-10-15 16:22:37.440396+0530","machTimestamp":739188487769009,"eventMessage":"Product Evaluation: 041-79235 (041-79235.English.dist): Installation check failed: Error Domain=PKDistributionError Code=102 \"ERROR_7E7AEE96CA\" UserInfo={message=ERROR_7E7AEE96CA, type=Fatal, NSLocalizedDescription=ERROR_7E7AEE96CA}","processImageUUID":"CD58B635-1F96-38BD-BF3B-DBA7CA293E28","traceID":1282334916650270724,"processID":200,"senderProgramCounter":90555,"parentActivityIdentifier":0} diff --git a/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-unified.log-expected.json b/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-unified.log-expected.json new file mode 100644 index 00000000000..9c802c85e7d --- /dev/null +++ b/packages/macos/data_stream/unified_log/_dev/test/pipeline/test-unified.log-expected.json @@ -0,0 +1,3522 @@ +{ + "expected": [ + { + "@timestamp": "2025-10-09T06:32:22.345Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%s | ApplicationManager: Checked in app : %@\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.loginwindow.logging\",\"category\":\"Standard\",\"threadID\":13692,\"senderImageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\",\"backtrace\":{\"frames\":[{\"imageOffset\":109999,\"imageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\"}]},\"bootUUID\":\"\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/loginwindow.app\\/Contents\\/MacOS\\/loginwindow\",\"senderImagePath\":\"\\/System\\/Library\\/CoreServices\\/loginwindow.app\\/Contents\\/MacOS\\/loginwindow\",\"timestamp\":\"2025-10-09 12:02:22.345217+0530\",\"eventMessage\":\"-[SessionLogoutManager buildSessionDictionary] | final sessionDictionary:{\\n DirectLogoutType = 5;\\n GroupID = 248;\\n GuestAccount = 0;\\n HomeDirectoryPath = \\\"\\/var\\/setup\\\";\\n SessionAgentPID = 100;\\n UserGUID = \\\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\\\";\\n UserID = 248;\\n UserLongName = \\\"Setup User\\\";\\n UserName = \\\"_mbsetupuser\\\";\\n}\",\"processImageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\",\"traceID\":3714562696282116,\"processID\":1062,\"senderProgramCounter\":109999,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "group": { + "id": "248" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "109999", + "uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF" + } + } + ] + }, + "category": "Standard", + "event": { + "category": "Authentication", + "message": { + "description": "-[SessionLogoutManager buildSessionDictionary] | final sessionDictionary:{\n DirectLogoutType = 5;\n GroupID = 248;\n GuestAccount = 0;\n HomeDirectoryPath = \"/var/setup\";\n SessionAgentPID = 100;\n UserGUID = \"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\";\n UserID = 248;\n UserLongName = \"Setup User\";\n UserName = \"_mbsetupuser\";\n}", + "direct_logout_type": 5, + "group_id": "248", + "guest_account": 0, + "home_directory_path": "\"/var/setup\"", + "session_agent_pid": "100", + "user": { + "guid": "\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\"", + "id": "248", + "long_name": "\"Setup User\"", + "name": "\"_mbsetupuser\"" + } + }, + "type": "logEvent" + }, + "format_string": "%s | ApplicationManager: Checked in app : %@", + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 1062, + "image_path": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "image_uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF" + }, + "sender": { + "image_path": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "image_uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF", + "program_counter": 109999 + }, + "subsystem": "com.apple.loginwindow.logging", + "thread_id": 13692, + "timestamp": "2025-10-09T06:32:22.345Z", + "trace_id": "3714562696282116", + "user_id": "501" + } + }, + "message": "-[SessionLogoutManager buildSessionDictionary] | final sessionDictionary:{\n DirectLogoutType = 5;\n GroupID = 248;\n GuestAccount = 0;\n HomeDirectoryPath = \"/var/setup\";\n SessionAgentPID = 100;\n UserGUID = \"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\";\n UserID = 248;\n UserLongName = \"Setup User\";\n UserName = \"_mbsetupuser\";\n}", + "process": { + "pid": 1062, + "thread": { + "id": 13692 + } + }, + "related": { + "user": [ + "248", + "\"Setup User\"", + "\"_mbsetupuser\"", + "\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\"", + "501" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "full_name": "\"Setup User\"", + "group": { + "id": "\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000F8\"" + }, + "id": [ + "248", + "501" + ], + "name": "\"_mbsetupuser\"" + } + }, + { + "@timestamp": "2025-09-26T06:32:36.119Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%s | shortUsername = %s, userID = %d, groupID = %d\",\"userID\":0,\"activityIdentifier\":0,\"subsystem\":\"com.apple.loginwindow.logging\",\"category\":\"Standard\",\"threadID\":778,\"senderImageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\",\"backtrace\":{\"frames\":[{\"imageOffset\":56811,\"imageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/loginwindow.app\\/Contents\\/MacOS\\/loginwindow\",\"senderImagePath\":\"\\/System\\/Library\\/CoreServices\\/loginwindow.app\\/Contents\\/MacOS\\/loginwindow\",\"timestamp\":\"2025-09-25 23:32:36.119492-0700\",\"machTimestamp\":191058676868,\"eventMessage\":\"-[Login1 doLogin] | shortUsername = _mbsetupuser, userID = 248, groupID = 248\",\"processImageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\",\"traceID\":3508679143981060,\"processID\":100,\"senderProgramCounter\":56811,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "group": { + "id": "248" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "56811", + "uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "Standard", + "event": { + "category": "Authentication", + "message": { + "description": "-[Login1 doLogin] | shortUsername = _mbsetupuser, userID = 248, groupID = 248", + "group_id": "248", + "user": { + "id": "248", + "name": "_mbsetupuser" + } + }, + "type": "logEvent" + }, + "format_string": "%s | shortUsername = %s, userID = %d, groupID = %d", + "mach_timestamp": 1.91058676868E11, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 100, + "image_path": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "image_uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF" + }, + "sender": { + "image_path": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "image_uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF", + "program_counter": 56811 + }, + "subsystem": "com.apple.loginwindow.logging", + "thread_id": 778, + "timestamp": "2025-09-26T06:32:36.119Z", + "trace_id": "3508679143981060", + "user_id": "0" + } + }, + "message": "-[Login1 doLogin] | shortUsername = _mbsetupuser, userID = 248, groupID = 248", + "process": { + "pid": 100, + "thread": { + "id": 778 + } + }, + "related": { + "user": [ + "248", + "_mbsetupuser", + "0" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "248", + "0" + ], + "name": "_mbsetupuser" + } + }, + { + "@timestamp": "2025-09-26T06:46:06.773Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%s | enter\",\"userID\":0,\"activityIdentifier\":0,\"subsystem\":\"com.apple.loginwindow.logging\",\"category\":\"Standard\",\"threadID\":13692,\"senderImageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\",\"backtrace\":{\"frames\":[{\"imageOffset\":75080,\"imageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/loginwindow.app\\/Contents\\/MacOS\\/loginwindow\",\"senderImagePath\":\"\\/System\\/Library\\/CoreServices\\/loginwindow.app\\/Contents\\/MacOS\\/loginwindow\",\"timestamp\":\"2025-09-25 23:46:06.773373-0700\",\"machTimestamp\":1001013698208,\"eventMessage\":\"-[Login1 isGuestAccount] | enter\",\"processImageUUID\":\"2F16B6B6-41B5-34D4-88A1-06CAFCE952EF\",\"traceID\":3412540596027396,\"processID\":1062,\"senderProgramCounter\":75080,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "75080", + "uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "Standard", + "event": { + "category": "Authentication", + "message": { + "description": "-[Login1 isGuestAccount] | enter" + }, + "type": "logEvent" + }, + "format_string": "%s | enter", + "mach_timestamp": 1.001013698208E12, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 1062, + "image_path": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "image_uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF" + }, + "sender": { + "image_path": "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow", + "image_uuid": "2F16B6B6-41B5-34D4-88A1-06CAFCE952EF", + "program_counter": 75080 + }, + "subsystem": "com.apple.loginwindow.logging", + "thread_id": 13692, + "timestamp": "2025-09-26T06:46:06.773Z", + "trace_id": "3412540596027396", + "user_id": "0" + } + }, + "message": "-[Login1 isGuestAccount] | enter", + "process": { + "pid": 1062, + "thread": { + "id": 13692 + } + }, + "related": { + "user": [ + "0" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "0" + ] + } + }, + { + "@timestamp": "2025-10-15T08:24:30.570Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[%p] activating connection: mach=%{bool}d listener=%{bool}d peer=%{bool}d name=%{public}s\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.xpc\",\"category\":\"connection\",\"threadID\":1051377,\"senderImageUUID\":\"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C\",\"backtrace\":{\"frames\":[{\"imageOffset\":43862,\"imageUUID\":\"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/system\\/libxpc.dylib\",\"timestamp\":\"2025-10-15 13:54:30.570794+0530\",\"machTimestamp\":730301634805240,\"eventMessage\":\"[0x7fd20dafe350] activating connection: mach=false listener=false peer=true name=com.apple.softwareupdated.peer[24159].0x7fd20dafe350\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":6727155769933828,\"processID\":200,\"senderProgramCounter\":43862,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "43862", + "uuid": "ABCE7E08-7D29-3BE0-AF60-F0DC752E951C" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "description": "[0x7fd20dafe350] activating connection: mach=false listener=false peer=true name=com.apple.softwareupdated.peer[24159].0x7fd20dafe350", + "listener": false, + "mach": false, + "name": "com.apple.softwareupdated.peer[24159].0x7fd20dafe350", + "peer": true + }, + "type": "logEvent" + }, + "format_string": "[%p] activating connection: mach=%{bool}d listener=%{bool}d peer=%{bool}d name=%{public}s", + "mach_timestamp": 7.3030163480524E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/system/libxpc.dylib", + "image_uuid": "ABCE7E08-7D29-3BE0-AF60-F0DC752E951C", + "program_counter": 43862 + }, + "subsystem": "com.apple.xpc", + "thread_id": 1051377, + "timestamp": "2025-10-15T08:24:30.570Z", + "trace_id": "6727155769933828", + "user_id": "200" + } + }, + "message": "[0x7fd20dafe350] activating connection: mach=false listener=false peer=true name=com.apple.softwareupdated.peer[24159].0x7fd20dafe350", + "process": { + "pid": 200, + "thread": { + "id": 1051377 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:51:05.035Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[%p] activating connection: mach=%{bool}d listener=%{bool}d peer=%{bool}d name=%{public}s\",\"userID\":200,\"activityIdentifier\":1606042,\"subsystem\":\"com.apple.xpc\",\"category\":\"connection\",\"threadID\":1131759,\"senderImageUUID\":\"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C\",\"backtrace\":{\"frames\":[{\"imageOffset\":43862,\"imageUUID\":\"ABCE7E08-7D29-3BE0-AF60-F0DC752E951C\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/system\\/libxpc.dylib\",\"timestamp\":\"2025-10-15 16:21:05.035457+0530\",\"machTimestamp\":739096082829937,\"eventMessage\":\"[0x7fd20cffa690] activating connection: mach=false listener=false peer=false name=(anonymous)\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":6727155769999364,\"processID\":200,\"senderProgramCounter\":43862,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "1606042", + "backtrace": { + "frames": [ + { + "image": { + "offset": "43862", + "uuid": "ABCE7E08-7D29-3BE0-AF60-F0DC752E951C" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "description": "[0x7fd20cffa690] activating connection: mach=false listener=false peer=false name=(anonymous)", + "listener": false, + "mach": false, + "name": "(anonymous)", + "peer": false + }, + "type": "logEvent" + }, + "format_string": "[%p] activating connection: mach=%{bool}d listener=%{bool}d peer=%{bool}d name=%{public}s", + "mach_timestamp": 7.39096082829937E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/system/libxpc.dylib", + "image_uuid": "ABCE7E08-7D29-3BE0-AF60-F0DC752E951C", + "program_counter": 43862 + }, + "subsystem": "com.apple.xpc", + "thread_id": 1131759, + "timestamp": "2025-10-15T10:51:05.035Z", + "trace_id": "6727155769999364", + "user_id": "200" + } + }, + "message": "[0x7fd20cffa690] activating connection: mach=false listener=false peer=false name=(anonymous)", + "process": { + "pid": 200, + "thread": { + "id": 1131759 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:51:14.585Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s %{public}s flags=%{network:tcp_flags}x seq=%u, ack=%u, win=%u state=%{network:tcp_state}x rcv_nxt=%u, snd_una=%u\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"tcp\",\"threadID\":1132254,\"senderImageUUID\":\"C5739A55-A9D3-3AFB-9AC9-652E5799B536\",\"backtrace\":{\"frames\":[{\"imageOffset\":281600,\"imageUUID\":\"C5739A55-A9D3-3AFB-9AC9-652E5799B536\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libusrtcp.dylib\",\"timestamp\":\"2025-10-15 16:21:14.585700+0530\",\"machTimestamp\":739105633072605,\"eventMessage\":\"tcp_output [C135.1.1:3] flags=[F.] seq=1475478968, ack=3781245868, win=3586 state=FIN_WAIT_1 rcv_nxt=3781245868, snd_una=1475478944\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":1202012843394990084,\"processID\":200,\"senderProgramCounter\":281600,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "281600", + "uuid": "C5739A55-A9D3-3AFB-9AC9-652E5799B536" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "tcp", + "event": { + "category": "Network Activity", + "message": { + "ack": "3781245868", + "description": "tcp_output [C135.1.1:3] flags=[F.] seq=1475478968, ack=3781245868, win=3586 state=FIN_WAIT_1 rcv_nxt=3781245868, snd_una=1475478944", + "flags": "F.", + "seq": "1475478968", + "state": "FIN_WAIT_1 rcv_nxt=3781245868, ", + "win": "3586" + }, + "type": "logEvent" + }, + "format_string": "%{public}s %{public}s flags=%{network:tcp_flags}x seq=%u, ack=%u, win=%u state=%{network:tcp_state}x rcv_nxt=%u, snd_una=%u", + "mach_timestamp": 7.39105633072605E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libusrtcp.dylib", + "image_uuid": "C5739A55-A9D3-3AFB-9AC9-652E5799B536", + "program_counter": 281600 + }, + "subsystem": "com.apple.network", + "thread_id": 1132254, + "timestamp": "2025-10-15T10:51:14.585Z", + "trace_id": "1202012843394990084", + "user_id": "200" + } + }, + "message": "tcp_output [C135.1.1:3] flags=[F.] seq=1475478968, ack=3781245868, win=3586 state=FIN_WAIT_1 rcv_nxt=3781245868, snd_una=1475478944", + "process": { + "pid": 200, + "thread": { + "id": 1132254 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:51:14.592Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s %{public}s flags=%{network:tcp_flags}x seq=%u, ack=%u, win=%u state=%{network:tcp_state}x rcv_nxt=%u, snd_una=%u\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"tcp\",\"threadID\":1132254,\"senderImageUUID\":\"C5739A55-A9D3-3AFB-9AC9-652E5799B536\",\"backtrace\":{\"frames\":[{\"imageOffset\":182769,\"imageUUID\":\"C5739A55-A9D3-3AFB-9AC9-652E5799B536\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libusrtcp.dylib\",\"timestamp\":\"2025-10-15 16:21:14.592962+0530\",\"machTimestamp\":739105640334157,\"eventMessage\":\"tcp_input [C135.1.1:3] flags=[F.] seq=3781245892, ack=1475478968, win=502 state=CLOSED rcv_nxt=3781245868, snd_una=1475478944\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":1202012843394990084,\"processID\":200,\"senderProgramCounter\":182769,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182769", + "uuid": "C5739A55-A9D3-3AFB-9AC9-652E5799B536" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "tcp", + "event": { + "category": "Network Activity", + "message": { + "ack": "1475478968", + "description": "tcp_input [C135.1.1:3] flags=[F.] seq=3781245892, ack=1475478968, win=502 state=CLOSED rcv_nxt=3781245868, snd_una=1475478944", + "flags": "F.", + "seq": "3781245892", + "state": "CLOSED rcv_nxt=3781245868, ", + "win": "502" + }, + "type": "logEvent" + }, + "format_string": "%{public}s %{public}s flags=%{network:tcp_flags}x seq=%u, ack=%u, win=%u state=%{network:tcp_state}x rcv_nxt=%u, snd_una=%u", + "mach_timestamp": 7.39105640334157E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libusrtcp.dylib", + "image_uuid": "C5739A55-A9D3-3AFB-9AC9-652E5799B536", + "program_counter": 182769 + }, + "subsystem": "com.apple.network", + "thread_id": 1132254, + "timestamp": "2025-10-15T10:51:14.592Z", + "trace_id": "1202012843394990084", + "user_id": "200" + } + }, + "message": "tcp_input [C135.1.1:3] flags=[F.] seq=3781245892, ack=1475478968, win=502 state=CLOSED rcv_nxt=3781245868, snd_una=1475478944", + "process": { + "pid": 200, + "thread": { + "id": 1132254 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:50:14.143Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"boringssl\",\"threadID\":1131560,\"senderImageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\",\"backtrace\":{\"frames\":[{\"imageOffset\":182440,\"imageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libboringssl.dylib\",\"timestamp\":\"2025-10-15 16:20:14.143657+0530\",\"machTimestamp\":739045191029769,\"eventMessage\":\"nw_protocol_boringssl_signal_connected(753) [C135.1.1:2][0x7fd20d8891a0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(2443ms) flight_time(396ms) rtt(248ms) write_stalls(0) read_stalls(6)]\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":390070235526594564,\"processID\":200,\"senderProgramCounter\":182440,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182440", + "uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "boringssl", + "event": { + "category": "Network Activity", + "message": { + "alpn": "http/1.1", + "cipher_suite": "TLS_AES_256_GCM_SHA384", + "connection_identifier": "C135.1.1:2", + "connection_time": "2443ms", + "description": "nw_protocol_boringssl_signal_connected(753) [C135.1.1:2][0x7fd20d8891a0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(2443ms) flight_time(396ms) rtt(248ms) write_stalls(0) read_stalls(6)]", + "false_started": false, + "flight_time": "396ms", + "group": "0x001d", + "ocsp_received": true, + "offered_ticket": false, + "read_stalls": 6, + "resumed": false, + "rtt": "248ms", + "sct_received": false, + "signature_alg": "0x0804", + "tls_version": "0x0304", + "write_stalls": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]", + "mach_timestamp": 7.39045191029769E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libboringssl.dylib", + "image_uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249", + "program_counter": 182440 + }, + "subsystem": "com.apple.network", + "thread_id": 1131560, + "timestamp": "2025-10-15T10:50:14.143Z", + "trace_id": "390070235526594564", + "user_id": "200" + } + }, + "message": "nw_protocol_boringssl_signal_connected(753) [C135.1.1:2][0x7fd20d8891a0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(2443ms) flight_time(396ms) rtt(248ms) write_stalls(0) read_stalls(6)]", + "process": { + "code_signature": { + "digest_algorithm": "0x0804" + }, + "pid": 200, + "thread": { + "id": 1131560 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:53:24.143Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]\",\"userID\":200,\"activityIdentifier\":1606042,\"subsystem\":\"com.apple.network\",\"category\":\"boringssl\",\"threadID\":1133904,\"senderImageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\",\"backtrace\":{\"frames\":[{\"imageOffset\":182440,\"imageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libboringssl.dylib\",\"timestamp\":\"2025-10-15 16:23:24.143463+0530\",\"machTimestamp\":739235190835402,\"eventMessage\":\"nw_protocol_boringssl_signal_connected(755) [C258.1.1.1:2][0x8dec8a200] TLS connected [version(0x0304) ciphersuite(TLS_AES_128_GCM_SHA256) group(0x001d) signature_alg(0x0403) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(0) sct_received(0) connect_time(59ms) flight_time(56ms) rtt(56ms) write_stalls(0) read_stalls(2) pake(0x0000)]\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":390070235526660100,\"processID\":200,\"senderProgramCounter\":182440,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "1606042", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182440", + "uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "boringssl", + "event": { + "category": "Network Activity", + "message": { + "alpn": "h2", + "cipher_suite": "TLS_AES_128_GCM_SHA256", + "connection_identifier": "C258.1.1.1:2", + "connection_time": "59ms", + "description": "nw_protocol_boringssl_signal_connected(755) [C258.1.1.1:2][0x8dec8a200] TLS connected [version(0x0304) ciphersuite(TLS_AES_128_GCM_SHA256) group(0x001d) signature_alg(0x0403) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(0) sct_received(0) connect_time(59ms) flight_time(56ms) rtt(56ms) write_stalls(0) read_stalls(2) pake(0x0000)]", + "false_started": false, + "flight_time": "56ms", + "group": "0x001d", + "ocsp_received": false, + "offered_ticket": false, + "pake": "0x0000", + "read_stalls": 2, + "resumed": false, + "rtt": "56ms", + "sct_received": false, + "signature_alg": "0x0403", + "tls_version": "0x0304", + "write_stalls": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]", + "mach_timestamp": 7.39235190835402E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libboringssl.dylib", + "image_uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249", + "program_counter": 182440 + }, + "subsystem": "com.apple.network", + "thread_id": 1133904, + "timestamp": "2025-10-15T10:53:24.143Z", + "trace_id": "390070235526660100", + "user_id": "200" + } + }, + "message": "nw_protocol_boringssl_signal_connected(755) [C258.1.1.1:2][0x8dec8a200] TLS connected [version(0x0304) ciphersuite(TLS_AES_128_GCM_SHA256) group(0x001d) signature_alg(0x0403) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(0) sct_received(0) connect_time(59ms) flight_time(56ms) rtt(56ms) write_stalls(0) read_stalls(2) pake(0x0000)]", + "process": { + "code_signature": { + "digest_algorithm": "0x0403" + }, + "pid": 200, + "thread": { + "id": 1133904 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:53:32.687Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"boringssl\",\"threadID\":1133968,\"senderImageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\",\"backtrace\":{\"frames\":[{\"imageOffset\":182440,\"imageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libboringssl.dylib\",\"timestamp\":\"2025-10-15 16:23:32.687897+0530\",\"machTimestamp\":739243735270019,\"eventMessage\":\"nw_protocol_boringssl_signal_connected(753) [C137.1.1:2][0x7fd20d957af0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(151ms) flight_time(50ms) rtt(49ms) write_stalls(0) read_stalls(6)]\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":390070235526594564,\"processID\":200,\"senderProgramCounter\":182440,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182440", + "uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "boringssl", + "event": { + "category": "Network Activity", + "message": { + "alpn": "http/1.1", + "cipher_suite": "TLS_AES_256_GCM_SHA384", + "connection_identifier": "C137.1.1:2", + "connection_time": "151ms", + "description": "nw_protocol_boringssl_signal_connected(753) [C137.1.1:2][0x7fd20d957af0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(151ms) flight_time(50ms) rtt(49ms) write_stalls(0) read_stalls(6)]", + "false_started": false, + "flight_time": "50ms", + "group": "0x001d", + "ocsp_received": true, + "offered_ticket": false, + "read_stalls": 6, + "resumed": false, + "rtt": "49ms", + "sct_received": false, + "signature_alg": "0x0804", + "tls_version": "0x0304", + "write_stalls": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]", + "mach_timestamp": 7.39243735270019E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libboringssl.dylib", + "image_uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249", + "program_counter": 182440 + }, + "subsystem": "com.apple.network", + "thread_id": 1133968, + "timestamp": "2025-10-15T10:53:32.687Z", + "trace_id": "390070235526594564", + "user_id": "200" + } + }, + "message": "nw_protocol_boringssl_signal_connected(753) [C137.1.1:2][0x7fd20d957af0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(151ms) flight_time(50ms) rtt(49ms) write_stalls(0) read_stalls(6)]", + "process": { + "code_signature": { + "digest_algorithm": "0x0804" + }, + "pid": 200, + "thread": { + "id": 1133968 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:53:38.141Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"boringssl\",\"threadID\":1133904,\"senderImageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\",\"backtrace\":{\"frames\":[{\"imageOffset\":182440,\"imageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libboringssl.dylib\",\"timestamp\":\"2025-10-15 16:23:38.141145+0530\",\"machTimestamp\":739249188517441,\"eventMessage\":\"nw_protocol_boringssl_signal_connected(753) [C138.1.1.1:2][0x7fd210e793f0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(104ms) flight_time(49ms) rtt(49ms) write_stalls(0) read_stalls(6)]\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":390070235526594564,\"processID\":200,\"senderProgramCounter\":182440,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182440", + "uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "boringssl", + "event": { + "category": "Network Activity", + "message": { + "alpn": "h2", + "cipher_suite": "TLS_AES_256_GCM_SHA384", + "connection_identifier": "C138.1.1.1:2", + "connection_time": "104ms", + "description": "nw_protocol_boringssl_signal_connected(753) [C138.1.1.1:2][0x7fd210e793f0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(104ms) flight_time(49ms) rtt(49ms) write_stalls(0) read_stalls(6)]", + "false_started": false, + "flight_time": "49ms", + "group": "0x001d", + "ocsp_received": true, + "offered_ticket": false, + "read_stalls": 6, + "resumed": false, + "rtt": "49ms", + "sct_received": false, + "signature_alg": "0x0804", + "tls_version": "0x0304", + "write_stalls": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]", + "mach_timestamp": 7.39249188517441E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libboringssl.dylib", + "image_uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249", + "program_counter": 182440 + }, + "subsystem": "com.apple.network", + "thread_id": 1133904, + "timestamp": "2025-10-15T10:53:38.141Z", + "trace_id": "390070235526594564", + "user_id": "200" + } + }, + "message": "nw_protocol_boringssl_signal_connected(753) [C138.1.1.1:2][0x7fd210e793f0] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(h2) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(104ms) flight_time(49ms) rtt(49ms) write_stalls(0) read_stalls(6)]", + "process": { + "code_signature": { + "digest_algorithm": "0x0804" + }, + "pid": 200, + "thread": { + "id": 1133904 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:53:44.589Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"boringssl\",\"threadID\":1133968,\"senderImageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\",\"backtrace\":{\"frames\":[{\"imageOffset\":182440,\"imageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libboringssl.dylib\",\"timestamp\":\"2025-10-15 16:23:44.589923+0530\",\"machTimestamp\":739255637295506,\"eventMessage\":\"nw_protocol_boringssl_signal_connected(753) [C139.1.1:2][0x7fd20d839670] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(291ms) flight_time(42ms) rtt(41ms) write_stalls(0) read_stalls(7)]\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":390070235526594564,\"processID\":200,\"senderProgramCounter\":182440,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182440", + "uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "boringssl", + "event": { + "category": "Network Activity", + "message": { + "alpn": "http/1.1", + "cipher_suite": "TLS_AES_256_GCM_SHA384", + "connection_identifier": "C139.1.1:2", + "connection_time": "291ms", + "description": "nw_protocol_boringssl_signal_connected(753) [C139.1.1:2][0x7fd20d839670] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(291ms) flight_time(42ms) rtt(41ms) write_stalls(0) read_stalls(7)]", + "false_started": false, + "flight_time": "42ms", + "group": "0x001d", + "ocsp_received": true, + "offered_ticket": false, + "read_stalls": 7, + "resumed": false, + "rtt": "41ms", + "sct_received": false, + "signature_alg": "0x0804", + "tls_version": "0x0304", + "write_stalls": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]", + "mach_timestamp": 7.39255637295506E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libboringssl.dylib", + "image_uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249", + "program_counter": 182440 + }, + "subsystem": "com.apple.network", + "thread_id": 1133968, + "timestamp": "2025-10-15T10:53:44.589Z", + "trace_id": "390070235526594564", + "user_id": "200" + } + }, + "message": "nw_protocol_boringssl_signal_connected(753) [C139.1.1:2][0x7fd20d839670] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(291ms) flight_time(42ms) rtt(41ms) write_stalls(0) read_stalls(7)]", + "process": { + "code_signature": { + "digest_algorithm": "0x0804" + }, + "pid": 200, + "thread": { + "id": 1133968 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:53:44.736Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"boringssl\",\"threadID\":1133995,\"senderImageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\",\"backtrace\":{\"frames\":[{\"imageOffset\":182440,\"imageUUID\":\"E8DA37CF-0F7A-38D1-8D87-3730FB158249\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libboringssl.dylib\",\"timestamp\":\"2025-10-15 16:23:44.736956+0530\",\"machTimestamp\":739255784328873,\"eventMessage\":\"nw_protocol_boringssl_signal_connected(753) [C140.1.1:2][0x7fd210ec0340] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http\\/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(250ms) flight_time(53ms) rtt(53ms) write_stalls(0) read_stalls(4)]\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":390070235526594564,\"processID\":200,\"senderProgramCounter\":182440,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "182440", + "uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "boringssl", + "event": { + "category": "Network Activity", + "message": { + "alpn": "http/1.1", + "cipher_suite": "TLS_AES_256_GCM_SHA384", + "connection_identifier": "C140.1.1:2", + "connection_time": "250ms", + "description": "nw_protocol_boringssl_signal_connected(753) [C140.1.1:2][0x7fd210ec0340] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(250ms) flight_time(53ms) rtt(53ms) write_stalls(0) read_stalls(4)]", + "false_started": false, + "flight_time": "53ms", + "group": "0x001d", + "ocsp_received": true, + "offered_ticket": false, + "read_stalls": 4, + "resumed": false, + "rtt": "53ms", + "sct_received": false, + "signature_alg": "0x0804", + "tls_version": "0x0304", + "write_stalls": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s(%d) %{public}s[%p] TLS connected [version(0xx) ciphersuite(%s) group(0xx) signature_alg(0xx) alpn(%{public}s) resumed(%d) offered_ticket(%d) false_started(%d) ocsp_received(%d) sct_received(%d) connect_time(%llums) flight_time(%llums) rtt(%llums) write_stalls(%zu) read_stalls(%zu)]", + "mach_timestamp": 7.39255784328873E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libboringssl.dylib", + "image_uuid": "E8DA37CF-0F7A-38D1-8D87-3730FB158249", + "program_counter": 182440 + }, + "subsystem": "com.apple.network", + "thread_id": 1133995, + "timestamp": "2025-10-15T10:53:44.736Z", + "trace_id": "390070235526594564", + "user_id": "200" + } + }, + "message": "nw_protocol_boringssl_signal_connected(753) [C140.1.1:2][0x7fd210ec0340] TLS connected [version(0x0304) ciphersuite(TLS_AES_256_GCM_SHA384) group(0x001d) signature_alg(0x0804) alpn(http/1.1) resumed(0) offered_ticket(0) false_started(0) ocsp_received(1) sct_received(0) connect_time(250ms) flight_time(53ms) rtt(53ms) write_stalls(0) read_stalls(4)]", + "process": { + "code_signature": { + "digest_algorithm": "0x0804" + }, + "pid": 200, + "thread": { + "id": 1133995 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:53:44.887Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"Task <%{public,uuid_t}.16P>.<%lu> summary for %{public}s {transaction_duration_ms=%u, response_status=%ld, connection=%llu, protocol=\\\"%{public}@\\\", domain_lookup_duration_ms=%u, connect_duration_ms=%u, secure_connection_duration_ms=%u, private_relay=%{bool}d, request_start_ms=%u, request_duration_ms=%u, response_start_ms=%u, response_duration_ms=%u, request_bytes=%lld, response_bytes=%lld, cache_hit=%{bool}d}\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.CFNetwork\",\"category\":\"Summary\",\"threadID\":1133995,\"senderImageUUID\":\"31798E5A-30D3-381D-BC8D-F9AF4154382B\",\"backtrace\":{\"frames\":[{\"imageOffset\":987343,\"imageUUID\":\"31798E5A-30D3-381D-BC8D-F9AF4154382B\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/System\\/Library\\/Frameworks\\/CFNetwork.framework\\/Versions\\/A\\/CFNetwork\",\"timestamp\":\"2025-10-15 16:23:44.887310+0530\",\"machTimestamp\":739255934682331,\"eventMessage\":\"Task .<76> summary for task success {transaction_duration_ms=646, response_status=200, connection=139, protocol=\\\"http\\/1.1\\\", domain_lookup_duration_ms=42, connect_duration_ms=302, secure_connection_duration_ms=291, private_relay=false, request_start_ms=351, request_duration_ms=3, response_start_ms=644, response_duration_ms=1, request_bytes=1248, response_bytes=678, cache_hit=true}\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":405718141415718916,\"processID\":200,\"senderProgramCounter\":987343,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "http": { + "request": { + "bytes": 1248 + }, + "response": { + "bytes": 678, + "status_code": 200 + } + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "987343", + "uuid": "31798E5A-30D3-381D-BC8D-F9AF4154382B" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "Summary", + "event": { + "category": "Network Activity", + "message": { + "cache_hit": true, + "connection": 139, + "connection_duration_ms": 302, + "description": "Task .<76> summary for task success {transaction_duration_ms=646, response_status=200, connection=139, protocol=\"http/1.1\", domain_lookup_duration_ms=42, connect_duration_ms=302, secure_connection_duration_ms=291, private_relay=false, request_start_ms=351, request_duration_ms=3, response_start_ms=644, response_duration_ms=1, request_bytes=1248, response_bytes=678, cache_hit=true}", + "domain_lookup_duration_ms": 42, + "private_relay": false, + "protocol": "\"http/1.1\"", + "request_bytes": 1248, + "request_duration_ms": 3, + "request_start_ms": 351, + "response_bytes": 678, + "response_duration_ms": 1, + "response_start_ms": 644, + "response_status": 200, + "secure_connection_duration_ms": 291, + "task_uid": "D4BCE98D-D0A3-496F-9092-EA4A34444E01", + "transaction_duration_ms": 646 + }, + "type": "logEvent" + }, + "format_string": "Task <%{public,uuid_t}.16P>.<%lu> summary for %{public}s {transaction_duration_ms=%u, response_status=%ld, connection=%llu, protocol=\"%{public}@\", domain_lookup_duration_ms=%u, connect_duration_ms=%u, secure_connection_duration_ms=%u, private_relay=%{bool}d, request_start_ms=%u, request_duration_ms=%u, response_start_ms=%u, response_duration_ms=%u, request_bytes=%lld, response_bytes=%lld, cache_hit=%{bool}d}", + "mach_timestamp": 7.39255934682331E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork", + "image_uuid": "31798E5A-30D3-381D-BC8D-F9AF4154382B", + "program_counter": 987343 + }, + "subsystem": "com.apple.CFNetwork", + "thread_id": 1133995, + "timestamp": "2025-10-15T10:53:44.887Z", + "trace_id": "405718141415718916", + "user_id": "200" + } + }, + "message": "Task .<76> summary for task success {transaction_duration_ms=646, response_status=200, connection=139, protocol=\"http/1.1\", domain_lookup_duration_ms=42, connect_duration_ms=302, secure_connection_duration_ms=291, private_relay=false, request_start_ms=351, request_duration_ms=3, response_start_ms=644, response_duration_ms=1, request_bytes=1248, response_bytes=678, cache_hit=true}", + "process": { + "pid": 200, + "thread": { + "id": 1133995 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-15T10:55:41.285Z", + "destination": { + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"%{public}s %{public}s \\n\\t[%{public,uuid_t}.16P %{sensitive}s:%{public}d<->%{sensitive}s:%{public}d]\\n\\tInit: %d, Conn_Time: %u.ums, SYNs: %u, WR_T: %d\\/%d, RD_T: %d\\/%d, TFO: %d\\/%d\\/%d, ECN: %d\\/%d\\/%d, Accurate ECN (client\\/server): %s\\/%s, TS: %d, TSO: %d\\n\\trtt_cache: %{public}s, rtt_upd: %d, rtt: %u.ums, rtt_var: %u.ums rtt_nc: %u.ums, rtt_var_nc: %u.ums base rtt: %ums\\n\\tACKs-compressed: %u, ACKs delayed: %u delayed ACKs sent: %u\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"tcp\",\"threadID\":1134682,\"senderImageUUID\":\"C5739A55-A9D3-3AFB-9AC9-652E5799B536\",\"backtrace\":{\"frames\":[{\"imageOffset\":139368,\"imageUUID\":\"C5739A55-A9D3-3AFB-9AC9-652E5799B536\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/usr\\/lib\\/libusrtcp.dylib\",\"timestamp\":\"2025-10-15 16:25:41.285922+0530\",\"machTimestamp\":739372333294250,\"eventMessage\":\"nw_protocol_tcp_log_summary [C138.1.1.1:3] \\n\\t[E6445355-3580-4882-BEB9-3116A7090D05 :63735<->:443]\\n\\tInit: 1, Conn_Time: 40.819ms, SYNs: 1, WR_T: 0\\/0, RD_T: 0\\/0, TFO: 0\\/0\\/0, ECN: 0\\/0\\/0, Accurate ECN (client\\/server): Disabled\\/Disabled, TS: 1, TSO: 1\\n\\trtt_cache: none, rtt_upd: 7, rtt: 126.375ms, rtt_var: 91.187ms rtt_nc: 126.375ms, rtt_var_nc: 91.187ms base rtt: 21ms\\n\\tACKs-compressed: 2, ACKs delayed: 0 delayed ACKs sent: 0\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":1201924813745291268,\"processID\":200,\"senderProgramCounter\":139368,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "139368", + "uuid": "C5739A55-A9D3-3AFB-9AC9-652E5799B536" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "tcp", + "event": { + "category": "Network Activity", + "message": { + "accurate_ecn_client": "Disabled", + "accurate_ecn_server": "Disabled", + "acks_compressed": 2, + "acks_delayed": 0, + "base_rtt_ms": "21ms", + "connection_identifier": "C138.1.1.1:3", + "connection_time": "40.819ms", + "connection_uuid": "E6445355-3580-4882-BEB9-3116A7090D05", + "delayed_acks_sent": 0, + "description": "nw_protocol_tcp_log_summary [C138.1.1.1:3] \n\t[E6445355-3580-4882-BEB9-3116A7090D05 :63735<->:443]\n\tInit: 1, Conn_Time: 40.819ms, SYNs: 1, WR_T: 0/0, RD_T: 0/0, TFO: 0/0/0, ECN: 0/0/0, Accurate ECN (client/server): Disabled/Disabled, TS: 1, TSO: 1\n\trtt_cache: none, rtt_upd: 7, rtt: 126.375ms, rtt_var: 91.187ms rtt_nc: 126.375ms, rtt_var_nc: 91.187ms base rtt: 21ms\n\tACKs-compressed: 2, ACKs delayed: 0 delayed ACKs sent: 0", + "dest_port": 443, + "ecn_in": 0, + "ecn_miss": 0, + "ecn_out": 0, + "init_flag": 1, + "rd_t_in": 0, + "rd_t_out": 0, + "rtt": "126.375ms", + "rtt_cache": "none", + "rtt_nc_ms": "126.375ms", + "rtt_updates": 7, + "rtt_var_ms": "91.187ms", + "rtt_var_nc_ms": "91.187ms", + "src_port": 63735, + "syns": 1, + "tfo_in": 0, + "tfo_miss": 0, + "tfo_out": 0, + "timestamp_enabled": 1, + "tso_enabled": 1, + "wr_t_in": 0, + "wr_t_out": 0 + }, + "type": "logEvent" + }, + "format_string": "%{public}s %{public}s \n\t[%{public,uuid_t}.16P %{sensitive}s:%{public}d<->%{sensitive}s:%{public}d]\n\tInit: %d, Conn_Time: %u.ums, SYNs: %u, WR_T: %d/%d, RD_T: %d/%d, TFO: %d/%d/%d, ECN: %d/%d/%d, Accurate ECN (client/server): %s/%s, TS: %d, TSO: %d\n\trtt_cache: %{public}s, rtt_upd: %d, rtt: %u.ums, rtt_var: %u.ums rtt_nc: %u.ums, rtt_var_nc: %u.ums base rtt: %ums\n\tACKs-compressed: %u, ACKs delayed: %u delayed ACKs sent: %u", + "mach_timestamp": 7.3937233329425E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/usr/lib/libusrtcp.dylib", + "image_uuid": "C5739A55-A9D3-3AFB-9AC9-652E5799B536", + "program_counter": 139368 + }, + "subsystem": "com.apple.network", + "thread_id": 1134682, + "timestamp": "2025-10-15T10:55:41.285Z", + "trace_id": "1201924813745291268", + "user_id": "200" + } + }, + "message": "nw_protocol_tcp_log_summary [C138.1.1.1:3] \n\t[E6445355-3580-4882-BEB9-3116A7090D05 :63735<->:443]\n\tInit: 1, Conn_Time: 40.819ms, SYNs: 1, WR_T: 0/0, RD_T: 0/0, TFO: 0/0/0, ECN: 0/0/0, Accurate ECN (client/server): Disabled/Disabled, TS: 1, TSO: 1\n\trtt_cache: none, rtt_upd: 7, rtt: 126.375ms, rtt_var: 91.187ms rtt_nc: 126.375ms, rtt_var_nc: 91.187ms base rtt: 21ms\n\tACKs-compressed: 2, ACKs delayed: 0 delayed ACKs sent: 0", + "process": { + "pid": 200, + "thread": { + "id": 1134682 + } + }, + "related": { + "user": [ + "200" + ] + }, + "source": { + "port": 63735 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-06T08:24:22.228Z", + "destination": { + "bytes": 1279, + "packets": 12, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":735152,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":369636,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Library/PrivateFrameworks/AssetCacheServices.framework/Versions/A/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-06 13:54:22.228920+0530\",\"machTimestamp\":674887694139028,\"eventMessage\":\"[C4 2078F1F7-050D-4E97-B216-93CB6C1E432E Hostname#2ab31f55:443 quic-connection, url hash: ad2c9e65, definite, no cellular, attribution: developer] cancelled\\n\\t[C4.1.1.1 7647497A-C8DC-4CB4-8104-3CD8282E82BB 192.168.29.221:61493<->IPv4#24e715a9:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 1.502s, DNS @0.002s took 0.158s, TCP @0.163s took 0.322s, TLS 1.3 took 0.681s\\n\\tbytes in/out: 4897/1279, packets in/out: 7/12, rtt: 0.304s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 6/3/0/0\",\"processImageUUID\":\"A13B24FC-A7FE-39C0-80AC-BBB2E6C9A5C9\",\"traceID\":589370805553791000,\"processID\":1357,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "2ab31f55" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "735152", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bytes_in": 4897, + "bytes_out": 1279, + "client_ip": "192.168.29.221", + "client_port": 61493, + "connection_detail": "4.1.1.1", + "connection_id": "4", + "connection_uuid": "7647497A-C8DC-4CB4-8104-3CD8282E82BB", + "description": "[C4 2078F1F7-050D-4E97-B216-93CB6C1E432E Hostname#2ab31f55:443 quic-connection, url hash: ad2c9e65, definite, no cellular, attribution: developer] cancelled\n\t[C4.1.1.1 7647497A-C8DC-4CB4-8104-3CD8282E82BB 192.168.29.221:61493<->IPv4#24e715a9:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 1.502s, DNS @0.002s took 0.158s, TCP @0.163s took 0.322s, TLS 1.3 took 0.681s\n\tbytes in/out: 4897/1279, packets in/out: 7/12, rtt: 0.304s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 6/3/0/0", + "dns_duration": "0.158s", + "dns_start": "0.002s", + "duration": "1.502s", + "ecn_acked": 3, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 6, + "hostname": "2ab31f55", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 7, + "packets_out": 12, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.304s", + "server_id": "24e715a9", + "server_port": 443, + "session_uuid": "2078F1F7-050D-4E97-B216-93CB6C1E432E", + "tcp_duration": "0.322s", + "tcp_start": "0.163s", + "tls_duration": "0.681s", + "tls_version": "1.3", + "url_hash": "ad2c9e65" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 6.74887694139028E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 1357, + "image_path": "/System/Library/PrivateFrameworks/AssetCacheServices.framework/Versions/A/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService", + "image_uuid": "A13B24FC-A7FE-39C0-80AC-BBB2E6C9A5C9" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 369636, + "timestamp": "2025-10-06T08:24:22.228Z", + "trace_id": "589370805553791000", + "user_id": "501" + } + }, + "message": "[C4 2078F1F7-050D-4E97-B216-93CB6C1E432E Hostname#2ab31f55:443 quic-connection, url hash: ad2c9e65, definite, no cellular, attribution: developer] cancelled\n\t[C4.1.1.1 7647497A-C8DC-4CB4-8104-3CD8282E82BB 192.168.29.221:61493<->IPv4#24e715a9:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 1.502s, DNS @0.002s took 0.158s, TCP @0.163s took 0.322s, TLS 1.3 took 0.681s\n\tbytes in/out: 4897/1279, packets in/out: 7/12, rtt: 0.304s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 6/3/0/0", + "network": { + "bytes": 6176, + "packets": 19 + }, + "process": { + "pid": 1357, + "thread": { + "id": 369636 + } + }, + "related": { + "hosts": [ + "2ab31f55" + ], + "ip": [ + "192.168.29.221" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 4897, + "ip": "192.168.29.221", + "packets": 7, + "port": 61493 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-10T12:01:03.902Z", + "destination": { + "bytes": 1134, + "packets": 17, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":846881,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Library/PrivateFrameworks/Categories.framework/Versions/A/XPCServices/CategoriesService.xpc/Contents/MacOS/CategoriesService\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-10 17:31:03.902924+0530\",\"machTimestamp\":713875321568105,\"eventMessage\":\"[C5 FDF72F57-8AF3-4FDB-BCBE-088778C53F56 Hostname#57dd9b6b:443 quic-connection, url hash: 63dc1356, definite, attribution: developer] cancelled\\n\\t[C5.1.1.1 3D5458F0-82A5-4042-ADD0-436BC06BC41A 81.2.69.192:61679<->IPv4#b63cfd75:443]\\n\\tConnected Path: unsatisfied (No network route)\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 31.645s, DNS @0.000s took 0.046s, TCP @0.092s took 0.101s, TLS 1.3 took 0.356s\\n\\tbytes in/out: 11307/1134, packets in/out: 15/17, rtt: 0.091s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 6/6/0/0\",\"processImageUUID\":\"3BDFA195-D1C8-38B1-9F8F-71DF40B5644F\",\"traceID\":589370805553725400,\"processID\":1358,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "57dd9b6b" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bytes_in": 11307, + "bytes_out": 1134, + "client_ip": "81.2.69.192", + "client_port": 61679, + "connection_detail": "5.1.1.1", + "connection_id": "5", + "connection_uuid": "3D5458F0-82A5-4042-ADD0-436BC06BC41A", + "description": "[C5 FDF72F57-8AF3-4FDB-BCBE-088778C53F56 Hostname#57dd9b6b:443 quic-connection, url hash: 63dc1356, definite, attribution: developer] cancelled\n\t[C5.1.1.1 3D5458F0-82A5-4042-ADD0-436BC06BC41A 81.2.69.192:61679<->IPv4#b63cfd75:443]\n\tConnected Path: unsatisfied (No network route)\n\tPrivacy Stance: Not Eligible\n\tDuration: 31.645s, DNS @0.000s took 0.046s, TCP @0.092s took 0.101s, TLS 1.3 took 0.356s\n\tbytes in/out: 11307/1134, packets in/out: 15/17, rtt: 0.091s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 6/6/0/0", + "dns_duration": "0.046s", + "dns_start": "0.000s", + "duration": "31.645s", + "ecn_acked": 6, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 6, + "hostname": "57dd9b6b", + "hostname_port": 443, + "out_of_order_bytes": 0, + "packets_in": 15, + "packets_out": 17, + "path_status": "unsatisfied (No network route)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.091s", + "server_id": "b63cfd75", + "server_port": 443, + "session_uuid": "FDF72F57-8AF3-4FDB-BCBE-088778C53F56", + "tcp_duration": "0.101s", + "tcp_start": "0.092s", + "tls_duration": "0.356s", + "tls_version": "1.3", + "url_hash": "63dc1356" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.13875321568105E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 1358, + "image_path": "/System/Library/PrivateFrameworks/Categories.framework/Versions/A/XPCServices/CategoriesService.xpc/Contents/MacOS/CategoriesService", + "image_uuid": "3BDFA195-D1C8-38B1-9F8F-71DF40B5644F" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 846881, + "timestamp": "2025-10-10T12:01:03.902Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C5 FDF72F57-8AF3-4FDB-BCBE-088778C53F56 Hostname#57dd9b6b:443 quic-connection, url hash: 63dc1356, definite, attribution: developer] cancelled\n\t[C5.1.1.1 3D5458F0-82A5-4042-ADD0-436BC06BC41A 81.2.69.192:61679<->IPv4#b63cfd75:443]\n\tConnected Path: unsatisfied (No network route)\n\tPrivacy Stance: Not Eligible\n\tDuration: 31.645s, DNS @0.000s took 0.046s, TCP @0.092s took 0.101s, TLS 1.3 took 0.356s\n\tbytes in/out: 11307/1134, packets in/out: 15/17, rtt: 0.091s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 6/6/0/0", + "network": { + "bytes": 12441, + "packets": 32 + }, + "process": { + "pid": 1358, + "thread": { + "id": 846881 + } + }, + "related": { + "hosts": [ + "57dd9b6b" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 11307, + "ip": "81.2.69.192", + "packets": 15, + "port": 61679 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-13T10:16:02.626Z", + "destination": { + "bytes": 1794, + "packets": 13, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":989346,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Library/PrivateFrameworks/WebPrivacy.framework/Versions/A/webprivacyd\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-13 15:46:02.626846+0530\",\"machTimestamp\":725864856643286,\"eventMessage\":\"[C3 B15E5A4C-0678-4AAE-966F-27EE4832CD2B Hostname#1b9ec12d:443 quic-connection, url hash: 6789733a, traffic class: 100, definite, no cellular, attribution: developer] cancelled\\n\\t[C3.1.1.1 7E1EAD37-5F78-439B-B3C0-DB0437036AEC 81.2.69.192:63744<->IPv4#f9ff2f4d:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 35.277s, DNS @0.008s took 0.036s, TCP @0.049s took 0.075s, TLS 1.3 took 0.282s\\n\\tbytes in/out: 4582/1794, packets in/out: 10/13, rtt: 0.072s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"820CBE50-DE8D-3C38-8714-04629EC16984\",\"traceID\":589370805553725400,\"processID\":2018,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "1b9ec12d" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bytes_in": 4582, + "bytes_out": 1794, + "client_ip": "81.2.69.192", + "client_port": 63744, + "connection_detail": "3.1.1.1", + "connection_id": "3", + "connection_uuid": "7E1EAD37-5F78-439B-B3C0-DB0437036AEC", + "description": "[C3 B15E5A4C-0678-4AAE-966F-27EE4832CD2B Hostname#1b9ec12d:443 quic-connection, url hash: 6789733a, traffic class: 100, definite, no cellular, attribution: developer] cancelled\n\t[C3.1.1.1 7E1EAD37-5F78-439B-B3C0-DB0437036AEC 81.2.69.192:63744<->IPv4#f9ff2f4d:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 35.277s, DNS @0.008s took 0.036s, TCP @0.049s took 0.075s, TLS 1.3 took 0.282s\n\tbytes in/out: 4582/1794, packets in/out: 10/13, rtt: 0.072s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.036s", + "dns_start": "0.008s", + "duration": "35.277s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "1b9ec12d", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 10, + "packets_out": 13, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.072s", + "server_id": "f9ff2f4d", + "server_port": 443, + "session_uuid": "B15E5A4C-0678-4AAE-966F-27EE4832CD2B", + "tcp_duration": "0.075s", + "tcp_start": "0.049s", + "tls_duration": "0.282s", + "tls_version": "1.3", + "traffic_class": "100", + "url_hash": "6789733a" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.25864856643286E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 2018, + "image_path": "/System/Library/PrivateFrameworks/WebPrivacy.framework/Versions/A/webprivacyd", + "image_uuid": "820CBE50-DE8D-3C38-8714-04629EC16984" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 989346, + "timestamp": "2025-10-13T10:16:02.626Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C3 B15E5A4C-0678-4AAE-966F-27EE4832CD2B Hostname#1b9ec12d:443 quic-connection, url hash: 6789733a, traffic class: 100, definite, no cellular, attribution: developer] cancelled\n\t[C3.1.1.1 7E1EAD37-5F78-439B-B3C0-DB0437036AEC 81.2.69.192:63744<->IPv4#f9ff2f4d:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 35.277s, DNS @0.008s took 0.036s, TCP @0.049s took 0.075s, TLS 1.3 took 0.282s\n\tbytes in/out: 4582/1794, packets in/out: 10/13, rtt: 0.072s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 6376, + "packets": 23 + }, + "process": { + "pid": 2018, + "thread": { + "id": 989346 + } + }, + "related": { + "hosts": [ + "1b9ec12d" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 4582, + "ip": "81.2.69.192", + "packets": 10, + "port": 63744 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-15T09:39:14.100Z", + "destination": { + "bytes": 1483, + "packets": 9, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":242,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1093082,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/usr/libexec/nsurlsessiond\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 15:09:14.100746+0530\",\"machTimestamp\":734785195723900,\"eventMessage\":\"[C343 3E8A076A-D684-45AF-A52F-C51D5B28AFDF Hostname#e3feefa8:443 quic-connection, bundle id: com.apple.mobileassetd.client.trustd, url hash: 117a22f2, attribution: developer] cancelled\\n\\t[C343.1.1.1 18BBE472-4617-480B-BFFE-78CBBBD16009 81.2.69.192:64457<->IPv4#81585636:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 2.997s, DNS @0.047s took 0.101s, TCP @0.198s took 0.049s, TLS 1.3 took 0.250s\\n\\tbytes in/out: 4916/1483, packets in/out: 6/9, rtt: 0.087s, retransmitted bytes: 451, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"5CF1C24C-80AC-35A6-A065-986216BBD0B2\",\"traceID\":589370805553725400,\"processID\":198,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "e3feefa8" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bundle_id": "com.apple.mobileassetd.client.trustd", + "bytes_in": 4916, + "bytes_out": 1483, + "client_ip": "81.2.69.192", + "client_port": 64457, + "connection_detail": "343.1.1.1", + "connection_id": "343", + "connection_uuid": "18BBE472-4617-480B-BFFE-78CBBBD16009", + "description": "[C343 3E8A076A-D684-45AF-A52F-C51D5B28AFDF Hostname#e3feefa8:443 quic-connection, bundle id: com.apple.mobileassetd.client.trustd, url hash: 117a22f2, attribution: developer] cancelled\n\t[C343.1.1.1 18BBE472-4617-480B-BFFE-78CBBBD16009 81.2.69.192:64457<->IPv4#81585636:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.997s, DNS @0.047s took 0.101s, TCP @0.198s took 0.049s, TLS 1.3 took 0.250s\n\tbytes in/out: 4916/1483, packets in/out: 6/9, rtt: 0.087s, retransmitted bytes: 451, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.101s", + "dns_start": "0.047s", + "duration": "2.997s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "e3feefa8", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 6, + "packets_out": 9, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 451, + "rtt": "0.087s", + "server_id": "81585636", + "server_port": 443, + "session_uuid": "3E8A076A-D684-45AF-A52F-C51D5B28AFDF", + "tcp_duration": "0.049s", + "tcp_start": "0.198s", + "tls_duration": "0.250s", + "tls_version": "1.3", + "url_hash": "117a22f2" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.347851957239E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 198, + "image_path": "/usr/libexec/nsurlsessiond", + "image_uuid": "5CF1C24C-80AC-35A6-A065-986216BBD0B2" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1093082, + "timestamp": "2025-10-15T09:39:14.100Z", + "trace_id": "589370805553725400", + "user_id": "242" + } + }, + "message": "[C343 3E8A076A-D684-45AF-A52F-C51D5B28AFDF Hostname#e3feefa8:443 quic-connection, bundle id: com.apple.mobileassetd.client.trustd, url hash: 117a22f2, attribution: developer] cancelled\n\t[C343.1.1.1 18BBE472-4617-480B-BFFE-78CBBBD16009 81.2.69.192:64457<->IPv4#81585636:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.997s, DNS @0.047s took 0.101s, TCP @0.198s took 0.049s, TLS 1.3 took 0.250s\n\tbytes in/out: 4916/1483, packets in/out: 6/9, rtt: 0.087s, retransmitted bytes: 451, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 6399, + "packets": 15 + }, + "process": { + "pid": 198, + "thread": { + "id": 1093082 + } + }, + "related": { + "hosts": [ + "e3feefa8" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "242" + ] + }, + "source": { + "bytes": 4916, + "ip": "81.2.69.192", + "packets": 6, + "port": 64457 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "242" + ] + } + }, + { + "@timestamp": "2025-10-15T10:10:13.211Z", + "destination": { + "bytes": 1264, + "packets": 19, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1109068,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 15:40:13.211900+0530\",\"machTimestamp\":736644276688203,\"eventMessage\":\"[C353 EA9249FC-6CC1-49B8-8895-117CDF0CA0A7 gsp-ssl.ls.apple.com:443 quic-connection, url: https://gsp-ssl.ls.apple.com/ab.arpc, definite, attribution: developer] cancelled\\n\\t[C353.1.1.1 0FDAC462-E350-4084-AD16-F0165B29ED88 81.2.69.192:64518<->17.8.135.181:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 33.863s, DNS @0.001s took 0.021s, TCP @0.025s took 1.107s, TLS 1.3 took 1.518s\\n\\tbytes in/out: 8914/1264, packets in/out: 13/19, rtt: 0.748s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"0C03D38B-8986-3F1E-AE36-FBC14991D019\",\"traceID\":589370805553725400,\"processID\":1163,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "gsp-ssl.ls.apple.com" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bytes_in": 8914, + "bytes_out": 1264, + "client_ip": "81.2.69.192", + "client_port": 64518, + "connection_detail": "353.1.1.1", + "connection_id": "353", + "connection_uuid": "0FDAC462-E350-4084-AD16-F0165B29ED88", + "description": "[C353 EA9249FC-6CC1-49B8-8895-117CDF0CA0A7 gsp-ssl.ls.apple.com:443 quic-connection, url: https://gsp-ssl.ls.apple.com/ab.arpc, definite, attribution: developer] cancelled\n\t[C353.1.1.1 0FDAC462-E350-4084-AD16-F0165B29ED88 81.2.69.192:64518<->17.8.135.181:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 33.863s, DNS @0.001s took 0.021s, TCP @0.025s took 1.107s, TLS 1.3 took 1.518s\n\tbytes in/out: 8914/1264, packets in/out: 13/19, rtt: 0.748s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.021s", + "dns_start": "0.001s", + "duration": "33.863s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "gsp-ssl.ls.apple.com", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 13, + "packets_out": 19, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.748s", + "server_id": "17.8.135.181", + "server_port": 443, + "session_uuid": "EA9249FC-6CC1-49B8-8895-117CDF0CA0A7", + "tcp_duration": "1.107s", + "tcp_start": "0.025s", + "tls_duration": "1.518s", + "tls_version": "1.3", + "url": "https://gsp-ssl.ls.apple.com/ab.arpc" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.36644276688203E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 1163, + "image_path": "/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod", + "image_uuid": "0C03D38B-8986-3F1E-AE36-FBC14991D019" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1109068, + "timestamp": "2025-10-15T10:10:13.211Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C353 EA9249FC-6CC1-49B8-8895-117CDF0CA0A7 gsp-ssl.ls.apple.com:443 quic-connection, url: https://gsp-ssl.ls.apple.com/ab.arpc, definite, attribution: developer] cancelled\n\t[C353.1.1.1 0FDAC462-E350-4084-AD16-F0165B29ED88 81.2.69.192:64518<->17.8.135.181:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 33.863s, DNS @0.001s took 0.021s, TCP @0.025s took 1.107s, TLS 1.3 took 1.518s\n\tbytes in/out: 8914/1264, packets in/out: 13/19, rtt: 0.748s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 10178, + "packets": 32 + }, + "process": { + "pid": 1163, + "thread": { + "id": 1109068 + } + }, + "related": { + "hosts": [ + "gsp-ssl.ls.apple.com" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 8914, + "ip": "81.2.69.192", + "packets": 13, + "port": 64518 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "url": { + "domain": "gsp-ssl.ls.apple.com", + "extension": "arpc", + "original": "https://gsp-ssl.ls.apple.com/ab.arpc", + "path": "/ab.arpc", + "scheme": "https" + }, + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-15T10:29:06.346Z", + "destination": { + "bytes": 2724, + "packets": 18, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1118427,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 15:59:06.346800+0530\",\"machTimestamp\":737777411588029,\"eventMessage\":\"[C637 60307C5A-FC74-4BE5-8FCA-7D64E75C0C1E Hostname#41b68ffe:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: c942ec6a, definite, attribution: developer] cancelled\\n\\t[C637.1.1.1 5ABAFEC7-3104-4614-93B8-DCC011441D5E 81.2.69.192:64546<->IPv4#6054f3b2:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 240.157s, DNS @0.009s took 0.050s, TCP @0.063s took 0.014s, TLS 1.3 took 0.063s\\n\\tbytes in/out: 12467/2724, packets in/out: 15/18, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"A75D659A-3E6F-39F2-A0E8-E329D9A2EF12\",\"traceID\":589370805553725400,\"processID\":22858,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "41b68ffe" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "account_id": "1ca5a8cf", + "attribution": "developer", + "bundle_id": "com.apple.Safari", + "bytes_in": 12467, + "bytes_out": 2724, + "client_ip": "81.2.69.192", + "client_port": 64546, + "connection_detail": "637.1.1.1", + "connection_id": "637", + "connection_uuid": "5ABAFEC7-3104-4614-93B8-DCC011441D5E", + "description": "[C637 60307C5A-FC74-4BE5-8FCA-7D64E75C0C1E Hostname#41b68ffe:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: c942ec6a, definite, attribution: developer] cancelled\n\t[C637.1.1.1 5ABAFEC7-3104-4614-93B8-DCC011441D5E 81.2.69.192:64546<->IPv4#6054f3b2:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 240.157s, DNS @0.009s took 0.050s, TCP @0.063s took 0.014s, TLS 1.3 took 0.063s\n\tbytes in/out: 12467/2724, packets in/out: 15/18, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.050s", + "dns_start": "0.009s", + "duration": "240.157s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "41b68ffe", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 15, + "packets_out": 18, + "path_status": "satisfied (Path is satisfied)", + "pid": 22850, + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.014s", + "server_id": "6054f3b2", + "server_port": 443, + "session_uuid": "60307C5A-FC74-4BE5-8FCA-7D64E75C0C1E", + "tcp_duration": "0.014s", + "tcp_start": "0.063s", + "tls_duration": "0.063s", + "tls_version": "1.3", + "url_hash": "c942ec6a" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.37777411588029E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 22858, + "image_path": "/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking", + "image_uuid": "A75D659A-3E6F-39F2-A0E8-E329D9A2EF12" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1118427, + "timestamp": "2025-10-15T10:29:06.346Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C637 60307C5A-FC74-4BE5-8FCA-7D64E75C0C1E Hostname#41b68ffe:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: c942ec6a, definite, attribution: developer] cancelled\n\t[C637.1.1.1 5ABAFEC7-3104-4614-93B8-DCC011441D5E 81.2.69.192:64546<->IPv4#6054f3b2:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 240.157s, DNS @0.009s took 0.050s, TCP @0.063s took 0.014s, TLS 1.3 took 0.063s\n\tbytes in/out: 12467/2724, packets in/out: 15/18, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 15191, + "packets": 33 + }, + "process": { + "pid": 22850, + "thread": { + "id": 1118427 + } + }, + "related": { + "hosts": [ + "41b68ffe" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 12467, + "ip": "81.2.69.192", + "packets": 15, + "port": 64546 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-15T10:31:06.402Z", + "destination": { + "bytes": 4145, + "packets": 258, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1120775,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 16:01:06.402509+0530\",\"machTimestamp\":737897409062445,\"eventMessage\":\"[C695 FBD48CD5-8BEB-495D-9143-3D94CEFD897D Hostname#b8300d06:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: ba83d597, definite, proxy fail closed for unreachable, attribution: developer, third party web content] cancelled\\n\\t[C695.1.2.1 EDEEE996-8CF0-4BC9-BA34-7CD4ABA75E93 81.2.69.192:64554<->IPv4#60e4a0b3:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 178.192s, DNS @0.109s took 0.002s, TCP @0.113s took 0.026s, TLS 1.3 took 0.048s\\n\\tbytes in/out: 4359196/4145, packets in/out: 573/258, rtt: 0.036s, retransmitted bytes: 0, out-of-order bytes: 5816\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"A75D659A-3E6F-39F2-A0E8-E329D9A2EF12\",\"traceID\":589370805553725400,\"processID\":22858,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "b8300d06" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "account_id": "1ca5a8cf", + "attribution": "developer", + "bundle_id": "com.apple.Safari", + "bytes_in": 4359196, + "bytes_out": 4145, + "client_ip": "81.2.69.192", + "client_port": 64554, + "connection_detail": "695.1.2.1", + "connection_id": "695", + "connection_uuid": "EDEEE996-8CF0-4BC9-BA34-7CD4ABA75E93", + "description": "[C695 FBD48CD5-8BEB-495D-9143-3D94CEFD897D Hostname#b8300d06:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: ba83d597, definite, proxy fail closed for unreachable, attribution: developer, third party web content] cancelled\n\t[C695.1.2.1 EDEEE996-8CF0-4BC9-BA34-7CD4ABA75E93 81.2.69.192:64554<->IPv4#60e4a0b3:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 178.192s, DNS @0.109s took 0.002s, TCP @0.113s took 0.026s, TLS 1.3 took 0.048s\n\tbytes in/out: 4359196/4145, packets in/out: 573/258, rtt: 0.036s, retransmitted bytes: 0, out-of-order bytes: 5816\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.002s", + "dns_start": "0.109s", + "duration": "178.192s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "b8300d06", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 5816, + "packets_in": 573, + "packets_out": 258, + "path_status": "satisfied (Path is satisfied)", + "pid": 22850, + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.036s", + "server_id": "60e4a0b3", + "server_port": 443, + "session_uuid": "FBD48CD5-8BEB-495D-9143-3D94CEFD897D", + "tcp_duration": "0.026s", + "tcp_start": "0.113s", + "tls_duration": "0.048s", + "tls_version": "1.3", + "url_hash": "ba83d597" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.37897409062445E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 22858, + "image_path": "/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking", + "image_uuid": "A75D659A-3E6F-39F2-A0E8-E329D9A2EF12" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1120775, + "timestamp": "2025-10-15T10:31:06.402Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C695 FBD48CD5-8BEB-495D-9143-3D94CEFD897D Hostname#b8300d06:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: ba83d597, definite, proxy fail closed for unreachable, attribution: developer, third party web content] cancelled\n\t[C695.1.2.1 EDEEE996-8CF0-4BC9-BA34-7CD4ABA75E93 81.2.69.192:64554<->IPv4#60e4a0b3:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 178.192s, DNS @0.109s took 0.002s, TCP @0.113s took 0.026s, TLS 1.3 took 0.048s\n\tbytes in/out: 4359196/4145, packets in/out: 573/258, rtt: 0.036s, retransmitted bytes: 0, out-of-order bytes: 5816\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 4363341, + "packets": 831 + }, + "process": { + "pid": 22850, + "thread": { + "id": 1120775 + } + }, + "related": { + "hosts": [ + "b8300d06" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 4359196, + "ip": "81.2.69.192", + "packets": 573, + "port": 64554 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-15T10:31:06.407Z", + "destination": { + "bytes": 1080, + "packets": 14, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1120775,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 16:01:06.407407+0530\",\"machTimestamp\":737897413960372,\"eventMessage\":\"[C693 4867D16B-268D-43E3-8FC5-C94DD80A1C80 Hostname#9d5a29e4:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: 38a58942, definite, attribution: developer, third party web content] cancelled\\n\\t[C693.1.1.1 5B6F7CDF-A595-46C0-AD7C-AB0A7A2DD3FF 81.2.69.192:64553<->IPv4#eef21366:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 193.203s, DNS @0.001s took 0.077s, TCP @0.081s took 0.017s, TLS 1.3 took 0.045s\\n\\tbytes in/out: 11782/1080, packets in/out: 9/14, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"A75D659A-3E6F-39F2-A0E8-E329D9A2EF12\",\"traceID\":589370805553725400,\"processID\":22858,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "9d5a29e4" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "account_id": "1ca5a8cf", + "attribution": "developer", + "bundle_id": "com.apple.Safari", + "bytes_in": 11782, + "bytes_out": 1080, + "client_ip": "81.2.69.192", + "client_port": 64553, + "connection_detail": "693.1.1.1", + "connection_id": "693", + "connection_uuid": "5B6F7CDF-A595-46C0-AD7C-AB0A7A2DD3FF", + "description": "[C693 4867D16B-268D-43E3-8FC5-C94DD80A1C80 Hostname#9d5a29e4:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: 38a58942, definite, attribution: developer, third party web content] cancelled\n\t[C693.1.1.1 5B6F7CDF-A595-46C0-AD7C-AB0A7A2DD3FF 81.2.69.192:64553<->IPv4#eef21366:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 193.203s, DNS @0.001s took 0.077s, TCP @0.081s took 0.017s, TLS 1.3 took 0.045s\n\tbytes in/out: 11782/1080, packets in/out: 9/14, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.077s", + "dns_start": "0.001s", + "duration": "193.203s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "9d5a29e4", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 9, + "packets_out": 14, + "path_status": "satisfied (Path is satisfied)", + "pid": 22850, + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.014s", + "server_id": "eef21366", + "server_port": 443, + "session_uuid": "4867D16B-268D-43E3-8FC5-C94DD80A1C80", + "tcp_duration": "0.017s", + "tcp_start": "0.081s", + "tls_duration": "0.045s", + "tls_version": "1.3", + "url_hash": "38a58942" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.37897413960372E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 22858, + "image_path": "/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking", + "image_uuid": "A75D659A-3E6F-39F2-A0E8-E329D9A2EF12" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1120775, + "timestamp": "2025-10-15T10:31:06.407Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C693 4867D16B-268D-43E3-8FC5-C94DD80A1C80 Hostname#9d5a29e4:443 quic-connection, bundle id: com.apple.Safari, pid: 22850, account id: 1ca5a8cf, url hash: 38a58942, definite, attribution: developer, third party web content] cancelled\n\t[C693.1.1.1 5B6F7CDF-A595-46C0-AD7C-AB0A7A2DD3FF 81.2.69.192:64553<->IPv4#eef21366:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 193.203s, DNS @0.001s took 0.077s, TCP @0.081s took 0.017s, TLS 1.3 took 0.045s\n\tbytes in/out: 11782/1080, packets in/out: 9/14, rtt: 0.014s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 12862, + "packets": 23 + }, + "process": { + "pid": 22850, + "thread": { + "id": 1120775 + } + }, + "related": { + "hosts": [ + "9d5a29e4" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 11782, + "ip": "81.2.69.192", + "packets": 9, + "port": 64553 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-15T10:50:16.541Z", + "destination": { + "bytes": 3030, + "packets": 16, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1131741,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/usr/libexec/nsurlsessiond\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 16:20:16.541036+0530\",\"machTimestamp\":739047588408621,\"eventMessage\":\"[C66 D699D319-32C3-4543-803A-DCB7ED36A5F8 Hostname#0d5adf07:443 quic-connection, bundle id: com.apple.triald, url hash: 9e856d3a, traffic class: 100, no expensive, attribution: developer] cancelled\\n\\t[C66.1.1.1 F8FA4862-B203-490F-866E-BEC10DBEF962 81.2.69.192:64603<->IPv4#10574dec:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 2.549s, DNS @0.002s took 0.061s, TCP @0.067s took 0.016s, TLS 1.3 took 0.415s\\n\\tbytes in/out: 5629/3030, packets in/out: 8/16, rtt: 0.029s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"5CF1C24C-80AC-35A6-A065-986216BBD0B2\",\"traceID\":589370805553725400,\"processID\":1100,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "0d5adf07" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bundle_id": "com.apple.triald", + "bytes_in": 5629, + "bytes_out": 3030, + "client_ip": "81.2.69.192", + "client_port": 64603, + "connection_detail": "66.1.1.1", + "connection_id": "66", + "connection_uuid": "F8FA4862-B203-490F-866E-BEC10DBEF962", + "description": "[C66 D699D319-32C3-4543-803A-DCB7ED36A5F8 Hostname#0d5adf07:443 quic-connection, bundle id: com.apple.triald, url hash: 9e856d3a, traffic class: 100, no expensive, attribution: developer] cancelled\n\t[C66.1.1.1 F8FA4862-B203-490F-866E-BEC10DBEF962 81.2.69.192:64603<->IPv4#10574dec:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.549s, DNS @0.002s took 0.061s, TCP @0.067s took 0.016s, TLS 1.3 took 0.415s\n\tbytes in/out: 5629/3030, packets in/out: 8/16, rtt: 0.029s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.061s", + "dns_start": "0.002s", + "duration": "2.549s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "0d5adf07", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 8, + "packets_out": 16, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.029s", + "server_id": "10574dec", + "server_port": 443, + "session_uuid": "D699D319-32C3-4543-803A-DCB7ED36A5F8", + "tcp_duration": "0.016s", + "tcp_start": "0.067s", + "tls_duration": "0.415s", + "tls_version": "1.3", + "traffic_class": "100", + "url_hash": "9e856d3a" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.39047588408621E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 1100, + "image_path": "/usr/libexec/nsurlsessiond", + "image_uuid": "5CF1C24C-80AC-35A6-A065-986216BBD0B2" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1131741, + "timestamp": "2025-10-15T10:50:16.541Z", + "trace_id": "589370805553725400", + "user_id": "501" + } + }, + "message": "[C66 D699D319-32C3-4543-803A-DCB7ED36A5F8 Hostname#0d5adf07:443 quic-connection, bundle id: com.apple.triald, url hash: 9e856d3a, traffic class: 100, no expensive, attribution: developer] cancelled\n\t[C66.1.1.1 F8FA4862-B203-490F-866E-BEC10DBEF962 81.2.69.192:64603<->IPv4#10574dec:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.549s, DNS @0.002s took 0.061s, TCP @0.067s took 0.016s, TLS 1.3 took 0.415s\n\tbytes in/out: 5629/3030, packets in/out: 8/16, rtt: 0.029s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 8659, + "packets": 24 + }, + "process": { + "pid": 1100, + "thread": { + "id": 1131741 + } + }, + "related": { + "hosts": [ + "0d5adf07" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "501" + ] + }, + "source": { + "bytes": 5629, + "ip": "81.2.69.192", + "packets": 8, + "port": 64603 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-15T10:51:27.886Z", + "destination": { + "bytes": 1060, + "packets": 18, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":242,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1132574,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/usr/libexec/nsurlsessiond\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 16:21:27.886344+0530\",\"machTimestamp\":739118933716566,\"eventMessage\":\"[C348 90B95967-CD66-4EDD-AD9E-5BA99B3B1C62 Hostname#ea5d1e75:443 quic-connection, bundle id: com.apple.mobileassetd.client.auto-asset-client, url hash: 69b0e59d, traffic class: 100, expected workload: 237568, no expensive, attribution: developer] cancelled\\n\\t[C348.1.1.1 A8214DA1-14D6-4867-BEAC-F70599E6E765 81.2.69.192:64626<->IPv4#3ec082bd:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 2.893s, DNS @0.001s took 0.045s, TCP @0.050s took 0.047s, TLS 1.3 took 0.348s\\n\\tbytes in/out: 248482/1060, packets in/out: 75/18, rtt: 0.048s, retransmitted bytes: 0, out-of-order bytes: 0\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"5CF1C24C-80AC-35A6-A065-986216BBD0B2\",\"traceID\":589370805553725400,\"processID\":198,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "ea5d1e75" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bundle_id": "com.apple.mobileassetd.client.auto-asset-client", + "bytes_in": 248482, + "bytes_out": 1060, + "client_ip": "81.2.69.192", + "client_port": 64626, + "connection_detail": "348.1.1.1", + "connection_id": "348", + "connection_uuid": "A8214DA1-14D6-4867-BEAC-F70599E6E765", + "description": "[C348 90B95967-CD66-4EDD-AD9E-5BA99B3B1C62 Hostname#ea5d1e75:443 quic-connection, bundle id: com.apple.mobileassetd.client.auto-asset-client, url hash: 69b0e59d, traffic class: 100, expected workload: 237568, no expensive, attribution: developer] cancelled\n\t[C348.1.1.1 A8214DA1-14D6-4867-BEAC-F70599E6E765 81.2.69.192:64626<->IPv4#3ec082bd:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.893s, DNS @0.001s took 0.045s, TCP @0.050s took 0.047s, TLS 1.3 took 0.348s\n\tbytes in/out: 248482/1060, packets in/out: 75/18, rtt: 0.048s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.045s", + "dns_start": "0.001s", + "duration": "2.893s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "expected_workload": "237568", + "hostname": "ea5d1e75", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 0, + "packets_in": 75, + "packets_out": 18, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.048s", + "server_id": "3ec082bd", + "server_port": 443, + "session_uuid": "90B95967-CD66-4EDD-AD9E-5BA99B3B1C62", + "tcp_duration": "0.047s", + "tcp_start": "0.050s", + "tls_duration": "0.348s", + "tls_version": "1.3", + "traffic_class": "100", + "url_hash": "69b0e59d" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.39118933716566E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 198, + "image_path": "/usr/libexec/nsurlsessiond", + "image_uuid": "5CF1C24C-80AC-35A6-A065-986216BBD0B2" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1132574, + "timestamp": "2025-10-15T10:51:27.886Z", + "trace_id": "589370805553725400", + "user_id": "242" + } + }, + "message": "[C348 90B95967-CD66-4EDD-AD9E-5BA99B3B1C62 Hostname#ea5d1e75:443 quic-connection, bundle id: com.apple.mobileassetd.client.auto-asset-client, url hash: 69b0e59d, traffic class: 100, expected workload: 237568, no expensive, attribution: developer] cancelled\n\t[C348.1.1.1 A8214DA1-14D6-4867-BEAC-F70599E6E765 81.2.69.192:64626<->IPv4#3ec082bd:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 2.893s, DNS @0.001s took 0.045s, TCP @0.050s took 0.047s, TLS 1.3 took 0.348s\n\tbytes in/out: 248482/1060, packets in/out: 75/18, rtt: 0.048s, retransmitted bytes: 0, out-of-order bytes: 0\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 249542, + "packets": 93 + }, + "process": { + "pid": 198, + "thread": { + "id": 1132574 + } + }, + "related": { + "hosts": [ + "ea5d1e75" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "242" + ] + }, + "source": { + "bytes": 248482, + "ip": "81.2.69.192", + "packets": 75, + "port": 64626 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "242" + ] + } + }, + { + "@timestamp": "2025-10-15T10:54:32.487Z", + "destination": { + "bytes": 1012, + "packets": 62, + "port": 443 + }, + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\\n\\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\\n\\tConnected Path: %{public}@\\n\\tPrivacy Stance: %{public}s\\n\\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\\n\\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\\n\\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu\",\"userID\":200,\"activityIdentifier\":0,\"subsystem\":\"com.apple.network\",\"category\":\"connection\",\"threadID\":1134682,\"senderImageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\",\"backtrace\":{\"frames\":[{\"imageOffset\":9418645,\"imageUUID\":\"E481CDB0-9C0C-3BBC-87FA-006C66D3223E\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated\",\"senderImagePath\":\"/System/Library/Frameworks/Network.framework/Versions/A/Network\",\"timestamp\":\"2025-10-15 16:24:32.487263+0530\",\"machTimestamp\":739303534635293,\"eventMessage\":\"[C137 5CADEB1D-0A08-4B41-B92D-B89BF308083E Hostname#3fba6d68:443 tcp, url hash: 15f2f095, tls, definite, attribution: developer] cancelled\\n\\t[C137.1.1 C84B1419-27A0-421C-8140-8478E1AC40F3 81.2.69.192:64673<->IPv4#14ad2c93:443]\\n\\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\\n\\tPrivacy Stance: Not Eligible\\n\\tDuration: 60.046s, DNS @0.000s took 0.045s, TCP @0.047s took 0.048s, TLS 1.3 took 0.151s\\n\\tbytes in/out: 515210/1012, packets in/out: 111/62, rtt: 0.135s, retransmitted bytes: 0, out-of-order bytes: 1242\\n\\tecn packets sent/acked/marked/lost: 0/0/0/0\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":589370805553725400,\"processID\":200,\"senderProgramCounter\":9418645,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "host": { + "id": "3fba6d68" + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "9418645", + "uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "connection", + "event": { + "category": "Network Activity", + "message": { + "attribution": "developer", + "bytes_in": 515210, + "bytes_out": 1012, + "client_ip": "81.2.69.192", + "client_port": 64673, + "connection_detail": "137.1.1", + "connection_id": "137", + "connection_uuid": "C84B1419-27A0-421C-8140-8478E1AC40F3", + "description": "[C137 5CADEB1D-0A08-4B41-B92D-B89BF308083E Hostname#3fba6d68:443 tcp, url hash: 15f2f095, tls, definite, attribution: developer] cancelled\n\t[C137.1.1 C84B1419-27A0-421C-8140-8478E1AC40F3 81.2.69.192:64673<->IPv4#14ad2c93:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 60.046s, DNS @0.000s took 0.045s, TCP @0.047s took 0.048s, TLS 1.3 took 0.151s\n\tbytes in/out: 515210/1012, packets in/out: 111/62, rtt: 0.135s, retransmitted bytes: 0, out-of-order bytes: 1242\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "dns_duration": "0.045s", + "dns_start": "0.000s", + "duration": "60.046s", + "ecn_acked": 0, + "ecn_lost": 0, + "ecn_marked": 0, + "ecn_sent": 0, + "hostname": "3fba6d68", + "hostname_port": 443, + "interface": "en0[802.11]", + "out_of_order_bytes": 1242, + "packets_in": 111, + "packets_out": 62, + "path_status": "satisfied (Path is satisfied)", + "privacy_stance": "Not Eligible", + "retransmitted_bytes": 0, + "rtt": "0.135s", + "server_id": "14ad2c93", + "server_port": 443, + "session_uuid": "5CADEB1D-0A08-4B41-B92D-B89BF308083E", + "tcp_duration": "0.048s", + "tcp_start": "0.047s", + "tls_duration": "0.151s", + "tls_version": "1.3", + "url_hash": "15f2f095" + }, + "type": "logEvent" + }, + "format_string": "[C%u %{public,uuid_t}.16P %{public}s %{public}@] cancelled\n\t[C%{public}s %{public,uuid_t}.16P %{public}s<->%{public}s]\n\tConnected Path: %{public}@\n\tPrivacy Stance: %{public}s\n\tDuration: %u.%03us, DNS @%u.%03us took %u.%03us, %{public}s @%u.%03us took %u.%03us, %{public}s took %u.%03us\n\tbytes in/out: %llu/%llu, packets in/out: %llu/%llu, rtt: %u.%03us, retransmitted bytes: %llu, out-of-order bytes: %llu\n\tecn packets sent/acked/marked/lost: %llu/%llu/%llu/%llu", + "mach_timestamp": 7.39303534635293E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Network.framework/Versions/A/Network", + "image_uuid": "E481CDB0-9C0C-3BBC-87FA-006C66D3223E", + "program_counter": 9418645 + }, + "subsystem": "com.apple.network", + "thread_id": 1134682, + "timestamp": "2025-10-15T10:54:32.487Z", + "trace_id": "589370805553725400", + "user_id": "200" + } + }, + "message": "[C137 5CADEB1D-0A08-4B41-B92D-B89BF308083E Hostname#3fba6d68:443 tcp, url hash: 15f2f095, tls, definite, attribution: developer] cancelled\n\t[C137.1.1 C84B1419-27A0-421C-8140-8478E1AC40F3 81.2.69.192:64673<->IPv4#14ad2c93:443]\n\tConnected Path: satisfied (Path is satisfied), viable, interface: en0[802.11], ipv4, dns, uses wifi\n\tPrivacy Stance: Not Eligible\n\tDuration: 60.046s, DNS @0.000s took 0.045s, TCP @0.047s took 0.048s, TLS 1.3 took 0.151s\n\tbytes in/out: 515210/1012, packets in/out: 111/62, rtt: 0.135s, retransmitted bytes: 0, out-of-order bytes: 1242\n\tecn packets sent/acked/marked/lost: 0/0/0/0", + "network": { + "bytes": 516222, + "packets": 173 + }, + "process": { + "pid": 200, + "thread": { + "id": 1134682 + } + }, + "related": { + "hosts": [ + "3fba6d68" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "200" + ] + }, + "source": { + "bytes": 515210, + "ip": "81.2.69.192", + "packets": 111, + "port": 64673 + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + }, + { + "@timestamp": "2025-10-11T09:59:06.860Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"Attempting to rename power assertion %{public}d for target %{public}@ to %{public}@\",\"userID\":0,\"activityIdentifier\":1501972,\"subsystem\":\"com.apple.runningboard\",\"category\":\"ttl\",\"threadID\":918115,\"senderImageUUID\":\"DDC01CB6-7CBF-312E-BDCF-D6EA20CF36C1\",\"backtrace\":{\"frames\":[{\"imageOffset\":33797,\"imageUUID\":\"DDC01CB6-7CBF-312E-BDCF-D6EA20CF36C1\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/usr\\/libexec\\/runningboardd\",\"senderImagePath\":\"\\/System\\/Library\\/PrivateFrameworks\\/RunningBoard.framework\\/Versions\\/A\\/RunningBoard\",\"timestamp\":\"2025-10-11 15:29:06.860717+0530\",\"machTimestamp\":719586938616305,\"eventMessage\":\"Attempting to rename power assertion 39013 for target xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070] to xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070];118-1260-50086:[clock.WorldClockWidget-FF3B363AC5FD];118-1260-50125:[clock.WorldClockWidget-FF3B363AC5FD]\",\"processImageUUID\":\"8590F6F5-F2F4-3CDE-921F-D9A358F6E6AD\",\"traceID\":1680285626859847684,\"processID\":118,\"senderProgramCounter\":33797,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "1501972", + "backtrace": { + "frames": [ + { + "image": { + "offset": "33797", + "uuid": "DDC01CB6-7CBF-312E-BDCF-D6EA20CF36C1" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "ttl", + "event": { + "category": "File", + "message": { + "description": "Attempting to rename power assertion 39013 for target xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070] to xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070];118-1260-50086:[clock.WorldClockWidget-FF3B363AC5FD];118-1260-50125:[clock.WorldClockWidget-FF3B363AC5FD]" + }, + "type": "logEvent" + }, + "format_string": "Attempting to rename power assertion %{public}d for target %{public}@ to %{public}@", + "mach_timestamp": 7.19586938616305E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 118, + "image_path": "/usr/libexec/runningboardd", + "image_uuid": "8590F6F5-F2F4-3CDE-921F-D9A358F6E6AD" + }, + "sender": { + "image_path": "/System/Library/PrivateFrameworks/RunningBoard.framework/Versions/A/RunningBoard", + "image_uuid": "DDC01CB6-7CBF-312E-BDCF-D6EA20CF36C1", + "program_counter": 33797 + }, + "subsystem": "com.apple.runningboard", + "thread_id": 918115, + "timestamp": "2025-10-11T09:59:06.860Z", + "trace_id": "1680285626859847684", + "user_id": "0" + } + }, + "message": "Attempting to rename power assertion 39013 for target xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070] to xpcservice:1260])(501)>{vt hash: 175396476}[uuid:69591B69-36BC-48EA-B6AF-1DBB255B4070];118-1260-50086:[clock.WorldClockWidget-FF3B363AC5FD];118-1260-50125:[clock.WorldClockWidget-FF3B363AC5FD]", + "process": { + "pid": 118, + "thread": { + "id": 918115 + } + }, + "related": { + "user": [ + "0" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "0" + ] + } + }, + { + "@timestamp": "2025-10-21T09:57:16.289Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"code signing internal problem: unexpected error from xpc: %s\",\"userID\":501,\"activityIdentifier\":0,\"subsystem\":\"com.apple.securityd\",\"category\":\"SecError\",\"threadID\":199743,\"senderImageUUID\":\"AF38D16B-954C-3A9E-B0F7-5100DB3D566C\",\"backtrace\":{\"frames\":[{\"imageOffset\":2219233,\"imageUUID\":\"AF38D16B-954C-3A9E-B0F7-5100DB3D566C\"}]},\"bootUUID\":\"AB156DC0-B7BC-4860-9E5C-A34A8BBE8699\",\"processImagePath\":\"\\/System\\/Library\\/Frameworks\\/StoreKit.framework\\/Support\\/storekitagent\",\"senderImagePath\":\"\\/System\\/Library\\/Frameworks\\/Security.framework\\/Versions\\/A\\/Security\",\"timestamp\":\"2025-10-21 15:27:16.289787+0530\",\"machTimestamp\":82458070242618,\"eventMessage\":\"code signing internal problem: unexpected error from xpc: { count = 1, transaction: 0, voucher = 0x0, contents =\\n\\t\\\"XPCErrorDescription\\\" => { length = 18, contents = \\\"Connection invalid\\\" }\\n}\",\"processImageUUID\":\"63A2B64B-11CA-3ABA-94D7-3916A3BD8D08\",\"traceID\":232616665735757828,\"processID\":552,\"senderProgramCounter\":2219233,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "0", + "backtrace": { + "frames": [ + { + "image": { + "offset": "2219233", + "uuid": "AF38D16B-954C-3A9E-B0F7-5100DB3D566C" + } + } + ] + }, + "boot_uuid": "AB156DC0-B7BC-4860-9E5C-A34A8BBE8699", + "category": "SecError", + "event": { + "category": "Process Execution Monitoring", + "message": { + "description": "code signing internal problem: unexpected error from xpc: { count = 1, transaction: 0, voucher = 0x0, contents =\n\t\"XPCErrorDescription\" => { length = 18, contents = \"Connection invalid\" }\n}" + }, + "type": "logEvent" + }, + "format_string": "code signing internal problem: unexpected error from xpc: %s", + "mach_timestamp": 8.2458070242618E13, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 552, + "image_path": "/System/Library/Frameworks/StoreKit.framework/Support/storekitagent", + "image_uuid": "63A2B64B-11CA-3ABA-94D7-3916A3BD8D08" + }, + "sender": { + "image_path": "/System/Library/Frameworks/Security.framework/Versions/A/Security", + "image_uuid": "AF38D16B-954C-3A9E-B0F7-5100DB3D566C", + "program_counter": 2219233 + }, + "subsystem": "com.apple.securityd", + "thread_id": 199743, + "timestamp": "2025-10-21T09:57:16.289Z", + "trace_id": "232616665735757828", + "user_id": "501" + } + }, + "message": "code signing internal problem: unexpected error from xpc: { count = 1, transaction: 0, voucher = 0x0, contents =\n\t\"XPCErrorDescription\" => { length = 18, contents = \"Connection invalid\" }\n}", + "process": { + "pid": 552, + "thread": { + "id": 199743 + } + }, + "related": { + "user": [ + "501" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "501" + ] + } + }, + { + "@timestamp": "2025-10-20T11:05:06.999Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"SecureTokenStatus users: admin %llu, admin w\\/SecureToken %llu, admin w\\/o SecureToken %llu, standard %llu, standard w\\/SecureToken %llu, standard w\\/o SecureToken %llu\",\"userID\":0,\"activityIdentifier\":80,\"subsystem\":\"com.apple.opendirectoryd\",\"category\":\"auth\",\"threadID\":5433,\"senderImageUUID\":\"B327C6FB-1480-39ED-B23A-F3D283CBFA1E\",\"backtrace\":{\"frames\":[{\"imageOffset\":49542,\"imageUUID\":\"B327C6FB-1480-39ED-B23A-F3D283CBFA1E\"}]},\"bootUUID\":\"AB156DC0-B7BC-4860-9E5C-A34A8BBE8699\",\"processImagePath\":\"\\/usr\\/libexec\\/opendirectoryd\",\"senderImagePath\":\"\\/System\\/Library\\/OpenDirectory\\/Modules\\/PlistFile.bundle\\/Contents\\/MacOS\\/PlistFile\",\"timestamp\":\"2025-10-20 16:35:06.999395+0530\",\"machTimestamp\":131200136411,\"eventMessage\":\"SecureTokenStatus users: admin 1, admin w\\/SecureToken 1, admin w\\/o SecureToken 0, standard 1, standard w\\/SecureToken 1, standard w\\/o SecureToken 0\",\"processImageUUID\":\"D8FEDD38-55EF-31D4-9A85-CC8ADF519F32\",\"traceID\":1597384271003652,\"processID\":134,\"senderProgramCounter\":49542,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "80", + "backtrace": { + "frames": [ + { + "image": { + "offset": "49542", + "uuid": "B327C6FB-1480-39ED-B23A-F3D283CBFA1E" + } + } + ] + }, + "boot_uuid": "AB156DC0-B7BC-4860-9E5C-A34A8BBE8699", + "category": "auth", + "event": { + "category": "User and Account Management", + "message": { + "description": "SecureTokenStatus users: admin 1, admin w/SecureToken 1, admin w/o SecureToken 0, standard 1, standard w/SecureToken 1, standard w/o SecureToken 0" + }, + "type": "logEvent" + }, + "format_string": "SecureTokenStatus users: admin %llu, admin w/SecureToken %llu, admin w/o SecureToken %llu, standard %llu, standard w/SecureToken %llu, standard w/o SecureToken %llu", + "mach_timestamp": 1.31200136411E11, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 134, + "image_path": "/usr/libexec/opendirectoryd", + "image_uuid": "D8FEDD38-55EF-31D4-9A85-CC8ADF519F32" + }, + "sender": { + "image_path": "/System/Library/OpenDirectory/Modules/PlistFile.bundle/Contents/MacOS/PlistFile", + "image_uuid": "B327C6FB-1480-39ED-B23A-F3D283CBFA1E", + "program_counter": 49542 + }, + "subsystem": "com.apple.opendirectoryd", + "thread_id": 5433, + "timestamp": "2025-10-20T11:05:06.999Z", + "trace_id": "1597384271003652", + "user_id": "0" + } + }, + "message": "SecureTokenStatus users: admin 1, admin w/SecureToken 1, admin w/o SecureToken 0, standard 1, standard w/SecureToken 1, standard w/o SecureToken 0", + "process": { + "pid": 134, + "thread": { + "id": 5433 + } + }, + "related": { + "user": [ + "0" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "0" + ] + } + }, + { + "@timestamp": "2025-10-15T10:52:37.440Z", + "ecs": { + "version": "9.2.0" + }, + "event": { + "category": [ + "authentication", + "configuration", + "file", + "host", + "iam", + "network", + "process" + ], + "kind": "event", + "original": "{\"timezoneName\":\"\",\"messageType\":\"Default\",\"eventType\":\"logEvent\",\"source\":null,\"formatString\":\"Product Evaluation: %s (%s): Installation check failed: %s\",\"userID\":200,\"activityIdentifier\":1606042,\"subsystem\":\"com.apple.SoftwareUpdate\",\"category\":\"SoftwareUpdate\",\"threadID\":1131759,\"senderImageUUID\":\"FFE66477-6648-38F8-997F-84A69295C606\",\"backtrace\":{\"frames\":[{\"imageOffset\":90555,\"imageUUID\":\"FFE66477-6648-38F8-997F-84A69295C606\"}]},\"bootUUID\":\"218031E6-E47F-4A77-B7FC-5A57B049F4BC\",\"processImagePath\":\"\\/System\\/Library\\/CoreServices\\/Software Update.app\\/Contents\\/Resources\\/softwareupdated\",\"senderImagePath\":\"\\/System\\/Library\\/PrivateFrameworks\\/SoftwareUpdate.framework\\/Versions\\/A\\/SoftwareUpdate\",\"timestamp\":\"2025-10-15 16:22:37.440396+0530\",\"machTimestamp\":739188487769009,\"eventMessage\":\"Product Evaluation: 041-79235 (041-79235.English.dist): Installation check failed: Error Domain=PKDistributionError Code=102 \\\"ERROR_7E7AEE96CA\\\" UserInfo={message=ERROR_7E7AEE96CA, type=Fatal, NSLocalizedDescription=ERROR_7E7AEE96CA}\",\"processImageUUID\":\"CD58B635-1F96-38BD-BF3B-DBA7CA293E28\",\"traceID\":1282334916650270724,\"processID\":200,\"senderProgramCounter\":90555,\"parentActivityIdentifier\":0}", + "type": [ + "info" + ] + }, + "log": { + "level": "Default" + }, + "macos": { + "unified_log": { + "activity_identifier": "1606042", + "backtrace": { + "frames": [ + { + "image": { + "offset": "90555", + "uuid": "FFE66477-6648-38F8-997F-84A69295C606" + } + } + ] + }, + "boot_uuid": "218031E6-E47F-4A77-B7FC-5A57B049F4BC", + "category": "SoftwareUpdate", + "event": { + "category": "System Changes", + "message": { + "description": "Product Evaluation: 041-79235 (041-79235.English.dist): Installation check failed: Error Domain=PKDistributionError Code=102 \"ERROR_7E7AEE96CA\" UserInfo={message=ERROR_7E7AEE96CA, type=Fatal, NSLocalizedDescription=ERROR_7E7AEE96CA}" + }, + "type": "logEvent" + }, + "format_string": "Product Evaluation: %s (%s): Installation check failed: %s", + "mach_timestamp": 7.39188487769009E14, + "message_type": "Default", + "parent_activity_identifier": "0", + "process": { + "id": 200, + "image_path": "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated", + "image_uuid": "CD58B635-1F96-38BD-BF3B-DBA7CA293E28" + }, + "sender": { + "image_path": "/System/Library/PrivateFrameworks/SoftwareUpdate.framework/Versions/A/SoftwareUpdate", + "image_uuid": "FFE66477-6648-38F8-997F-84A69295C606", + "program_counter": 90555 + }, + "subsystem": "com.apple.SoftwareUpdate", + "thread_id": 1131759, + "timestamp": "2025-10-15T10:52:37.440Z", + "trace_id": "1282334916650270724", + "user_id": "200" + } + }, + "message": "Product Evaluation: 041-79235 (041-79235.English.dist): Installation check failed: Error Domain=PKDistributionError Code=102 \"ERROR_7E7AEE96CA\" UserInfo={message=ERROR_7E7AEE96CA, type=Fatal, NSLocalizedDescription=ERROR_7E7AEE96CA}", + "process": { + "pid": 200, + "thread": { + "id": 1131759 + } + }, + "related": { + "user": [ + "200" + ] + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "200" + ] + } + } + ] +} diff --git a/packages/macos/data_stream/unified_log/agent/stream/unifiedlogs.yml.hbs b/packages/macos/data_stream/unified_log/agent/stream/unifiedlogs.yml.hbs new file mode 100644 index 00000000000..a8783df943e --- /dev/null +++ b/packages/macos/data_stream/unified_log/agent/stream/unifiedlogs.yml.hbs @@ -0,0 +1,80 @@ +predicate: +{{#if authentication}} +- 'process contains "sudo" OR composedMessage CONTAINS "sudo" OR process contains "su"' +- 'process contains "loginwindow" and composedMessage CONTAINS "sessionDidLogin"' +- 'process == "sshd"' +{{/if}} +{{#if user_and_account_management}} +- 'process == "sysadminctl" AND composedMessage CONTAINS "Creating user"' +- 'process == "dscl" AND composedMessage CONTAINS "create"' +- 'process == "sysadminctl" AND composedMessage CONTAINS "Deleting user"' +- 'process == "dscl" AND composedMessage CONTAINS "delete"' +- '(process == "dscl" OR process == "opendirectoryd") AND composedMessage CONTAINS "admin"' +{{/if}} +{{#if process_execution_monitoring}} +- 'eventMessage CONTAINS[c] "exec" OR eventMessage CONTAINS[c] "fork" OR eventMessage CONTAINS[c] "exited" OR eventMessage CONTAINS[c] "terminated"' +- 'subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid")' +- 'composedMessage CONTAINS "com.apple.quarantine"' +{{/if}} +{{#if network_activity}} +- 'composedMessage CONTAINS "connect" AND (composedMessage CONTAINS "TCP" OR composedMessage CONTAINS "UDP")' +- 'composedMessage CONTAINS "disconnect" OR composedMessage CONTAINS "closed connection"' +- 'subsystem == "com.apple.necp" AND composedMessage CONTAINS "new connection"' +- 'eventMessage CONTAINS[c] "listening" AND eventMessage CONTAINS[c] "service"' +{{/if}} +{{#if file_reads_writes}} +- '(eventMessage CONTAINS "open" OR eventMessage CONTAINS "write" OR eventMessage CONTAINS "unlink" OR eventMessage CONTAINS "rename") AND ((processImagePath BEGINSWITH "/System") OR (processImagePath BEGINSWITH "/bin") OR (processImagePath BEGINSWITH "/sbin") OR (processImagePath BEGINSWITH "/usr" AND NOT processImagePath BEGINSWITH "/usr/local") OR (processImagePath BEGINSWITH "/etc"))' +- 'subsystem == "com.apple.quarantine" OR eventMessage CONTAINS "com.apple.quarantine"' +{{/if}} +{{#if system_changes}} +- 'subsystem == "com.apple.security" OR subsystem == "com.apple.systempolicy" OR subsystem == "com.apple.installer" OR process == "Installer" OR process == "softwareupdated" OR eventMessage CONTAINS[c] "removed package" OR eventMessage CONTAINS[c] "forget package"' +{{/if}} +{{#if advanced_monitoring}} +- '(composedMessage CONTAINS ".plist" AND (composedMessage CONTAINS "write" OR composedMessage CONTAINS "modified")) OR (composedMessage CONTAINS ".ssh" AND (composedMessage CONTAINS "write" OR composedMessage CONTAINS "modified")) OR (process == "kernel" AND composedMessage CONTAINS "boot") OR (process == "launchd" AND (composedMessage CONTAINS "started" OR composedMessage CONTAINS "listening")) OR (process == "loginwindow" AND composedMessage CONTAINS "sessionDidLogin") OR (composedMessage CONTAINS "posix_spawn" OR composedMessage CONTAINS "exec") OR (subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid"))' +{{/if}} +{{#each predicate as |p|}} +- {{p}} +{{/each}} +{{#if start}} +start: {{start}} +{{/if}} +{{#if end}} +end: {{end}} +{{/if}} +{{#if process}} +process: +{{#each process as |p|}} +- {{p}} +{{/each}} +{{/if}} +source: {{source}} +info: {{info}} +debug: {{debug}} +backtrace: {{backtrace}} +signpost: {{signpost}} +unreliable: {{unreliable}} +mach_continuous_time: {{mach_continuous_time}} +backfill: {{backfill}} +{{#if archive_file}} +archive_file: {{archive_file}} +{{/if}} +{{#if trace_file}} +trace_file: {{trace_file}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/macos/data_stream/unified_log/elasticsearch/ingest_pipeline/default.yml b/packages/macos/data_stream/unified_log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..ed6c74957d1 --- /dev/null +++ b/packages/macos/data_stream/unified_log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,467 @@ +--- +description: Pipeline for processing unified_log logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 9.2.0 + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + - set: + field: event.kind + tag: set_event_kind + value: event + - append: + field: event.category + tag: append_authentication_into_event_category + value: authentication + - append: + field: event.category + tag: append_configuration_into_event_category + value: configuration + - append: + field: event.category + tag: append_file_into_event_category + value: file + - append: + field: event.category + tag: append_host_into_event_category + value: host + - append: + field: event.category + tag: append_iam_into_event_category + value: iam + - append: + field: event.category + tag: append_network_into_event_category + value: network + - append: + field: event.category + tag: append_process_into_event_category + value: process + - append: + field: event.type + tag: append_info_into_event_type + value: info + - convert: + field: json.activityIdentifier + tag: convert_activityIdentifier_to_string + target_field: macos.unified_log.activity_identifier + type: string + ignore_missing: true + - foreach: + field: json.backtrace.frames + tag: foreach_backtrace_frames_imageOffset + if: ctx.json?.backtrace?.frames instanceof List + processor: + convert: + field: _ingest._value.imageOffset + type: string + tag: rename_backtrace_frames_imageOffset + target_field: _ingest._value.image.offset + ignore_missing: true + - foreach: + field: json.backtrace.frames + tag: foreach_backtrace_frames_imageOffset + if: ctx.json?.backtrace?.frames instanceof List + processor: + remove: + field: _ingest._value.imageOffset + tag: remove_imageOffset + ignore_missing: true + - foreach: + field: json.backtrace.frames + tag: foreach_backtrace_frames_imageUUID + if: ctx.json?.backtrace?.frames instanceof List + processor: + rename: + field: _ingest._value.imageUUID + tag: rename_backtrace_frames_imageUUID + target_field: _ingest._value.image.uuid + ignore_missing: true + - rename: + field: json.backtrace.frames + tag: rename_backtrace_frames + target_field: macos.unified_log.backtrace.frames + ignore_missing: true + - rename: + field: json.bootUUID + tag: rename_bootUUID + target_field: macos.unified_log.boot_uuid + ignore_missing: true + - rename: + field: json.category + tag: rename_category + target_field: macos.unified_log.category + ignore_missing: true + - rename: + field: json.eventMessage + tag: rename_eventMessage + target_field: macos.unified_log.event.message.description + ignore_missing: true + - set: + field: message + tag: set_message_from_unified_log_event_message_description + copy_from: macos.unified_log.event.message.description + ignore_empty_value: true + - grok: + description: Grok the eventMessage. + tag: grok-event-message + field: macos.unified_log.event.message.description + ignore_missing: true + pattern_definitions: + GREEDYMULTILINE: '(.|\n)*' + patterns: + - '^-\[%{WORD} %{WORD}\] \|%{SPACE}final sessionDictionary:\{(?:%{SPACE}DirectLogoutType = %{NUMBER:macos.unified_log.event.message.direct_logout_type:int};)?(?:%{SPACE}GroupID = %{NUMBER:macos.unified_log.event.message.group_id};)?(?:%{SPACE}GuestAccount = %{NUMBER:macos.unified_log.event.message.guest_account:int};)?(?:%{SPACE}HomeDirectoryPath = %{DATA:macos.unified_log.event.message.home_directory_path};)?(?:%{SPACE}SessionAgentPID = %{NUMBER:macos.unified_log.event.message.session_agent_pid};)?(?:%{SPACE}UserGUID = %{DATA:macos.unified_log.event.message.user.guid};)?(?:%{SPACE}UserID = %{NUMBER:macos.unified_log.event.message.user.id};)?(?:%{SPACE}UserLongName = %{DATA:macos.unified_log.event.message.user.long_name};)?(?:%{SPACE}UserName = %{DATA:macos.unified_log.event.message.user.name};)?\n\}' + - '^-\[%{WORD} %{WORD}\] \|(?:%{SPACE}shortUsername = %{WORD:macos.unified_log.event.message.user.name},)?(?:%{SPACE}userID = %{NUMBER:macos.unified_log.event.message.user.id},)?(?:%{SPACE}groupID = %{NUMBER:macos.unified_log.event.message.group_id})' + - '%{GREEDYDATA:macos.unified_log.event.message.original}' + - set: + field: group.id + tag: set_group_id_from_unified_log_message_group_id + copy_from: macos.unified_log.event.message.group_id + ignore_empty_value: true + - set: + field: user.full_name + tag: set_user_full_name_from_unified_log_message_userlongname + copy_from: macos.unified_log.event.message.user.long_name + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_unified_log_message_username + copy_from: macos.unified_log.event.message.user.name + ignore_empty_value: true + - set: + field: user.group.id + tag: set_user_group_id_from_unified_log_message_user_guid + copy_from: macos.unified_log.event.message.user.guid + ignore_empty_value: true + - append: + field: user.id + tag: append_unified_log_event_message_user_id_into_user_id + value: '{{{macos.unified_log.event.message.user.id}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.event?.message?.user?.id != null + - append: + field: related.user + tag: append_unified_log_event_message_user_id_into_related_user + value: '{{{macos.unified_log.event.message.user.id}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.event?.message?.user?.id != null + - append: + field: related.user + tag: append_unified_log_event_message_user_long_name_into_related_user + value: '{{{macos.unified_log.event.message.user.long_name}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.event?.message?.user?.long_name != null + - append: + field: related.user + tag: append_unified_log_event_message_user_name_into_related_user + value: '{{{macos.unified_log.event.message.user.name}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.event?.message?.user?.name != null + - append: + field: related.user + tag: append_unified_log_event_message_user_guid_into_related_user + value: '{{{macos.unified_log.event.message.user.guid}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.event?.message?.user?.guid != null + - rename: + field: json.eventType + tag: rename_eventType + target_field: macos.unified_log.event.type + ignore_missing: true + - rename: + field: json.formatString + tag: rename_formatString + target_field: macos.unified_log.format_string + ignore_missing: true + - convert: + field: json.machTimestamp + type: double + tag: convert_machTimestamp_to_string + target_field: macos.unified_log.mach_timestamp + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.messageType + tag: rename_messageType + target_field: macos.unified_log.message_type + ignore_missing: true + - set: + field: log.level + tag: set_log_level_from_unified_log_message_type + copy_from: macos.unified_log.message_type + ignore_empty_value: true + - convert: + field: json.parentActivityIdentifier + tag: convert_parentActivityIdentifier_to_string + target_field: macos.unified_log.parent_activity_identifier + type: string + ignore_missing: true + - convert: + field: json.processID + tag: convert_processID_to_string + target_field: macos.unified_log.process.id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.pid + tag: set_process_pid_from_unified_log_process_id + copy_from: macos.unified_log.process.id + ignore_empty_value: true + - rename: + field: json.processImagePath + tag: rename_processImagePath + target_field: macos.unified_log.process.image_path + ignore_missing: true + - rename: + field: json.processImageUUID + tag: rename_processImageUUID + target_field: macos.unified_log.process.image_uuid + ignore_missing: true + - rename: + field: json.senderImagePath + tag: rename_senderImagePath + target_field: macos.unified_log.sender.image_path + ignore_missing: true + - rename: + field: json.senderImageUUID + tag: rename_senderImageUUID + target_field: macos.unified_log.sender.image_uuid + ignore_missing: true + - convert: + field: json.senderProgramCounter + tag: convert_senderProgramCounter_to_long + target_field: macos.unified_log.sender.program_counter + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.source + tag: rename_source + target_field: macos.unified_log.source + ignore_missing: true + - rename: + field: json.subsystem + tag: rename_subsystem + target_field: macos.unified_log.subsystem + ignore_missing: true + - convert: + field: json.threadID + tag: convert_threadID_to_long + target_field: macos.unified_log.thread_id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.thread.id + tag: set_process_thread_id_from_unified_log_thread_id + copy_from: macos.unified_log.thread_id + ignore_empty_value: true + - date: + field: json.timestamp + tag: date_timestamp + target_field: macos.unified_log.timestamp + formats: + - yyyy-MM-dd HH:mm:ss.SSSSSSZ + - yyyy-MM-dd HH:mm:ss.SSSZ + - strict_date_optional_time + if: ctx.json?.timestamp != null && ctx.json.timestamp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_unified_log_timestamp + copy_from: macos.unified_log.timestamp + ignore_empty_value: true + - rename: + field: json.timezoneName + tag: rename_timezoneName + target_field: macos.unified_log.timezone_name + ignore_missing: true + - convert: + field: json.traceID + tag: convert_traceID_to_string + target_field: macos.unified_log.trace_id + type: string + ignore_missing: true + - convert: + field: json.userID + tag: convert_userID_to_string + target_field: macos.unified_log.user_id + type: string + ignore_missing: true + - append: + field: user.id + tag: append_into_user_id_from_unified_log_user_id + value: '{{{macos.unified_log.user_id}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.user_id != null + - append: + field: related.user + tag: append_unified_log_user_id_into_related_user + value: '{{{macos.unified_log.user_id}}}' + allow_duplicates: false + if: ctx.macos?.unified_log?.user_id != null + - pipeline: + name: '{{ IngestPipeline "pipeline-network" }}' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.subsystem.toLowerCase().contains('network') || ctx.macos.unified_log.subsystem.toLowerCase().contains('xpc')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_network_into_custom_field + value: 'Network Activity' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.subsystem.toLowerCase().contains('network') || ctx.macos.unified_log.subsystem.toLowerCase().contains('xpc') || ctx.macos.unified_log.subsystem.toLowerCase().contains('necp')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_system_changes_into_custom_field + value: 'System Changes' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.subsystem.toLowerCase().contains('com.apple.security') || ctx.macos.unified_log.subsystem.toLowerCase().contains('systempolicy') || ctx.macos.unified_log.subsystem.toLowerCase().contains('com.apple.installer') || ctx.macos.unified_log.subsystem.toLowerCase().contains('softwareupdate') || ctx.macos.unified_log.event.message.description.contains('removed package') || ctx.macos.unified_log.event.message.description.contains('removed package') || ctx.macos.unified_log.event.message.description.contains('forget package')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_user_account_management_into_custom_field + value: 'User and Account Management' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.subsystem.toLowerCase().contains('opendirectoryd') || ctx.macos.unified_log.event.message.description.contains('admin') || ctx.macos.unified_log.event.message.description.contains('delete') || ctx.macos.unified_log.event.message.description.contains('create') || ctx.macos.unified_log.event.message.description.contains('Creating user') || ctx.macos.unified_log.event.message.description.contains('Deleting user')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_authentication_into_custom_field + value: 'Authentication' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.event.message.description.contains('sudo') || ctx.macos.unified_log.event.message.description.contains('sessionDidLogin') || ctx.macos.unified_log.event.message.description.contains('loginwindow') || ctx.macos.unified_log.event.message.description.contains('login') || ctx.macos.unified_log.event.message.description.contains('sshd') || ctx.macos.unified_log.subsystem.toLowerCase().contains('sshd') || ctx.macos.unified_log.subsystem.toLowerCase().contains('loginwindow')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_process_into_custom_field + value: 'Process Execution Monitoring' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.event.message.description.contains('exec') || ctx.macos.unified_log.event.message.description.contains('fork') || ctx.macos.unified_log.event.message.description.contains('exited') || ctx.macos.unified_log.event.message.description.contains('terminated') || ctx.macos.unified_log.event.message.description.contains('launch') || (ctx.macos.unified_log.subsystem.toLowerCase().contains('com.apple.securityd') && (ctx.macos.unified_log.event.message.description.contains('code signing') || ctx.macos.unified_log.event.message.description.contains('not valid'))) || ctx.macos.unified_log.event.message.description.contains('com.apple.quarantine')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_process_into_custom_field + value: 'File' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.event.message.description.contains(' open') || ctx.macos.unified_log.event.message.description.contains('write ') || ctx.macos.unified_log.event.message.description.contains('unlink') || ctx.macos.unified_log.event.message.description.contains('rename') || ctx.macos.unified_log.event.message.description.contains('modified')) + - set: + field: macos.unified_log.event.category + tag: set_category_type_process_into_custom_field + value: 'Advanced Monitoring' + if: ctx.macos?.unified_log?.subsystem != null && (ctx.macos.unified_log.event.message.description.contains('.plist') || ctx.macos.unified_log.event.message.description.contains('.ssh') || ctx.macos.unified_log.event.message.description.contains('boot') || ctx.macos.unified_log.event.message.description.contains('posix_spawn') || ctx.macos.unified_log.event.message.description.contains(' started ') || ctx.macos.unified_log.event.message.description.contains('listening')) + - remove: + field: + - macos.unified_log.event.message.description + - macos.unified_log.event.message.group_id + - macos.unified_log.event.message.user.long_name + - macos.unified_log.event.message.user.name + - macos.unified_log.event.message.user.guid + - macos.unified_log.event.message.user.id + - macos.unified_log.message_type + - macos.unified_log.process.id + - macos.unified_log.thread_id + - macos.unified_log.timestamp + - macos.unified_log.user_id + - macos.unified_log.event.message.signature_alg + - macos.unified_log.event.message.request_bytes + - macos.unified_log.event.message.response_bytes + - macos.unified_log.event.message.response_status + - macos.unified_log.event.message.dest_port + - macos.unified_log.event.message.src_port + - macos.unified_log.event.message.hostname + - macos.unified_log.event.message.pid + - macos.unified_log.event.message.url + - macos.unified_log.event.message.client_ip + - macos.unified_log.event.message.client_port + - macos.unified_log.event.message.server_port + - macos.unified_log.event.message.bytes_in + - macos.unified_log.event.message.bytes_out + - macos.unified_log.event.message.packets_in + - macos.unified_log.event.message.packets_out + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: + - json + - macos.unified_log.event.message.original + - macos.unified_log.event.message.ecn_in_out_miss + - macos.unified_log.event.message.rd_t_in_out + - macos.unified_log.event.message.tfo_in_out_miss + - macos.unified_log.event.message.wr_t_in_out + - macos.unified_log.event.message.accurate_ecn + tag: remove_non_required_fields + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/macos/data_stream/unified_log/elasticsearch/ingest_pipeline/pipeline-network.yml b/packages/macos/data_stream/unified_log/elasticsearch/ingest_pipeline/pipeline-network.yml new file mode 100644 index 00000000000..ae50ecb90d6 --- /dev/null +++ b/packages/macos/data_stream/unified_log/elasticsearch/ingest_pipeline/pipeline-network.yml @@ -0,0 +1,342 @@ +--- +description: Pipeline for processing grok patterns in network events. +processors: + - grok: + description: Grok the eventMessage. + tag: grok-event-message + field: macos.unified_log.event.message.description + ignore_missing: true + pattern_definitions: + GREEDYMULTILINE: '(.|\n)*' + patterns: + - '^\[%{WORD}\] %{DATA}\:(?:%{SPACE}mach=%{WORD:macos.unified_log.event.message.mach:boolean})?(?:%{SPACE}listener=%{WORD:macos.unified_log.event.message.listener:boolean})?(?:%{SPACE}peer=%{WORD:macos.unified_log.event.message.peer:boolean})?(?:%{SPACE}name=%{GREEDYDATA:macos.unified_log.event.message.name})?' + - '^%{WORD} \[%{DATA}\](?:%{SPACE}flags=\[%{DATA:macos.unified_log.event.message.flags}\])?(?:%{SPACE}seq=%{DATA:macos.unified_log.event.message.seq},)?(?:%{SPACE}ack=%{DATA:macos.unified_log.event.message.ack},)?(?:%{SPACE}win=%{DATA:macos.unified_log.event.message.win})?(?:%{SPACE}state=%{DATA:macos.unified_log.event.message.state})?(?:%{SPACE}rcv_nxt=%{DATA:macos.unified_log.event.message.rcv_nxt},)?(?:snd_una=%{DATA:macos.unified_log.event.message.snd_una})' + - '^%{WORD} \[%{DATA}\](?:%{SPACE}flags=\[%{DATA:macos.unified_log.event.message.flags}\])?(?:%{SPACE}seq=%{DATA:macos.unified_log.event.message.seq},)?(?:%{SPACE}ack=%{DATA:macos.unified_log.event.message.ack},)?(?:%{SPACE}win=%{DATA:macos.unified_log.event.message.win})?(?:%{SPACE}state=%{DATA:macos.unified_log.event.message.state})?(?:%{SPACE}rcv_nxt=%{DATA:macos.unified_log.event.message.rcv_nxt},)?(?:snd_una=%{DATA:macos.unified_log.event.message.snd_una})' + - '^nw_protocol_boringssl_signal_connected\(%{NUMBER}\) \[%{DATA:macos.unified_log.event.message.connection_identifier}\]\[%{DATA}\] TLS connected \[(?:version\(%{DATA:macos.unified_log.event.message.tls_version}\))?(?:%{SPACE}ciphersuite\(%{DATA:macos.unified_log.event.message.cipher_suite}\))?(?:%{SPACE}group\(%{DATA:macos.unified_log.event.message.group}\))?(?:%{SPACE}signature_alg\(%{DATA:macos.unified_log.event.message.signature_alg}\))?(?:%{SPACE}alpn\(%{DATA:macos.unified_log.event.message.alpn}\))?(?:%{SPACE}resumed\(%{DATA:macos.unified_log.event.message.resumed}\))?(?:%{SPACE}offered_ticket\(%{DATA:macos.unified_log.event.message.offered_ticket}\))?(?:%{SPACE}false_started\(%{DATA:macos.unified_log.event.message.false_started}\))?(?:%{SPACE}ocsp_received\(%{DATA:macos.unified_log.event.message.ocsp_received}\))?(?:%{SPACE}sct_received\(%{DATA:macos.unified_log.event.message.sct_received}\))?(?:%{SPACE}connect_time\(%{DATA:macos.unified_log.event.message.connection_time}\))?(?:%{SPACE}flight_time\(%{DATA:macos.unified_log.event.message.flight_time}\))?(?:%{SPACE}rtt\(%{DATA:macos.unified_log.event.message.rtt}\))?(?:%{SPACE}write_stalls\(%{DATA:macos.unified_log.event.message.write_stalls:int}\))?(?:%{SPACE}read_stalls\(%{DATA:macos.unified_log.event.message.read_stalls:int}\))?(?:%{SPACE}pake\(%{DATA:macos.unified_log.event.message.pake}\))?\]' + - '^Task \<%{DATA:macos.unified_log.event.message.task_uid}\>.\<%{NUMBER}\>%{SPACE}summary for %{DATA} \{(?:transaction_duration_ms=%{NUMBER:macos.unified_log.event.message.transaction_duration_ms:int},)?(?:%{SPACE}response_status=%{NUMBER:macos.unified_log.event.message.response_status:int},)?(?:%{SPACE}connection=%{NUMBER:macos.unified_log.event.message.connection:int},)?(?:%{SPACE}protocol=%{DATA:macos.unified_log.event.message.protocol},)?(?:%{SPACE}domain_lookup_duration_ms=%{NUMBER:macos.unified_log.event.message.domain_lookup_duration_ms:int},)?(?:%{SPACE}connect_duration_ms=%{NUMBER:macos.unified_log.event.message.connection_duration_ms:int},)?(?:%{SPACE}secure_connection_duration_ms=%{NUMBER:macos.unified_log.event.message.secure_connection_duration_ms:int},)?(?:%{SPACE}private_relay=%{WORD:macos.unified_log.event.message.private_relay:boolean},)?(?:%{SPACE}request_start_ms=%{NUMBER:macos.unified_log.event.message.request_start_ms:int},)?(?:%{SPACE}request_duration_ms=%{NUMBER:macos.unified_log.event.message.request_duration_ms:int},)?(?:%{SPACE}response_start_ms=%{NUMBER:macos.unified_log.event.message.response_start_ms:int},)?(?:%{SPACE}response_duration_ms=%{NUMBER:macos.unified_log.event.message.response_duration_ms:int},)?(?:%{SPACE}request_bytes=%{NUMBER:macos.unified_log.event.message.request_bytes:long},)?(?:%{SPACE}response_bytes=%{NUMBER:macos.unified_log.event.message.response_bytes:long},)?(?:%{SPACE}cache_hit=%{WORD:macos.unified_log.event.message.cache_hit:boolean})?\}' + - '^%{DATA} \[%{DATA:macos.unified_log.event.message.connection_identifier}\]%{SPACE}\[%{UUID:macos.unified_log.event.message.connection_uuid} :%{NUMBER:macos.unified_log.event.message.src_port:int}<->:%{NUMBER:macos.unified_log.event.message.dest_port:int}\]%{SPACE}Init: %{NUMBER:macos.unified_log.event.message.init_flag:int}, Conn_Time: %{DATA:macos.unified_log.event.message.connection_time}, SYNs: %{NUMBER:macos.unified_log.event.message.syns:int}, WR_T: %{DATA:macos.unified_log.event.message.wr_t_in_out}, RD_T: %{DATA:macos.unified_log.event.message.rd_t_in_out}, TFO: %{DATA:macos.unified_log.event.message.tfo_in_out_miss}, ECN: %{DATA:macos.unified_log.event.message.ecn_in_out_miss}, Accurate ECN %{GREEDYDATA}: %{GREEDYDATA:macos.unified_log.event.message.accurate_ecn}, TS: %{NUMBER:macos.unified_log.event.message.timestamp_enabled:int}, TSO: %{NUMBER:macos.unified_log.event.message.tso_enabled:int}%{SPACE}rtt_cache: %{DATA:macos.unified_log.event.message.rtt_cache}, rtt_upd: %{NUMBER:macos.unified_log.event.message.rtt_updates:int}, rtt: %{DATA:macos.unified_log.event.message.rtt}, rtt_var: %{DATA:macos.unified_log.event.message.rtt_var_ms} rtt_nc: %{DATA:macos.unified_log.event.message.rtt_nc_ms}, rtt_var_nc: %{DATA:macos.unified_log.event.message.rtt_var_nc_ms} base rtt: %{GREEDYDATA:macos.unified_log.event.message.base_rtt_ms}%{SPACE}ACKs-compressed: %{NUMBER:macos.unified_log.event.message.acks_compressed:int}, ACKs delayed: %{NUMBER:macos.unified_log.event.message.acks_delayed:int} delayed ACKs sent: %{NUMBER:macos.unified_log.event.message.delayed_acks_sent:int}' + - '^\[C%{NUMBER:macos.unified_log.event.message.connection_id} %{UUID:macos.unified_log.event.message.session_uuid} (Hostname\#)?%{DATA:macos.unified_log.event.message.hostname}:%{NUMBER:macos.unified_log.event.message.hostname_port:int} %{DATA}(, bundle id: %{DATA:macos.unified_log.event.message.bundle_id})?(, pid: %{DATA:macos.unified_log.event.message.pid:int})?(, account id: %{DATA:macos.unified_log.event.message.account_id})?(, url: %{DATA:macos.unified_log.event.message.url})?(, url hash: %{BASE16NUM:macos.unified_log.event.message.url_hash})?(, traffic class: %{NUMBER:macos.unified_log.event.message.traffic_class})?(, expected workload: %{NUMBER:macos.unified_log.event.message.expected_workload})?(, %{GREEDYDATA})?, attribution: %{DATA:macos.unified_log.event.message.attribution}(, %{GREEDYDATA})?\] cancelled\n\t\[C%{DATA:macos.unified_log.event.message.connection_detail} %{UUID:macos.unified_log.event.message.connection_uuid} %{IP:macos.unified_log.event.message.client_ip}:%{NUMBER:macos.unified_log.event.message.client_port:int}<->(IPv4#)?%{DATA:macos.unified_log.event.message.server_id}:%{NUMBER:macos.unified_log.event.message.server_port:int}\]\n\tConnected Path: %{DATA:macos.unified_log.event.message.path_status}(, %{DATA})?(, interface: %{DATA:macos.unified_log.event.message.interface})?(, %{GREEDYDATA})?\n\tPrivacy Stance: %{DATA:macos.unified_log.event.message.privacy_stance}\n\tDuration: %{DATA:macos.unified_log.event.message.duration}, DNS @%{DATA:macos.unified_log.event.message.dns_start} took %{DATA:macos.unified_log.event.message.dns_duration}, TCP @%{DATA:macos.unified_log.event.message.tcp_start} took %{DATA:macos.unified_log.event.message.tcp_duration}, TLS %{DATA:macos.unified_log.event.message.tls_version} took %{DATA:macos.unified_log.event.message.tls_duration}\n\tbytes in\/out: %{NUMBER:macos.unified_log.event.message.bytes_in:long}\/%{NUMBER:macos.unified_log.event.message.bytes_out:long}, packets in\/out: %{NUMBER:macos.unified_log.event.message.packets_in:int}\/%{NUMBER:macos.unified_log.event.message.packets_out:int}, rtt: %{DATA:macos.unified_log.event.message.rtt}, retransmitted bytes: %{NUMBER:macos.unified_log.event.message.retransmitted_bytes:long}, out-of-order bytes: %{NUMBER:macos.unified_log.event.message.out_of_order_bytes:long}\n\tecn packets sent\/acked\/marked\/lost: %{NUMBER:macos.unified_log.event.message.ecn_sent:int}\/%{NUMBER:macos.unified_log.event.message.ecn_acked:int}\/%{NUMBER:macos.unified_log.event.message.ecn_marked:int}\/%{NUMBER:macos.unified_log.event.message.ecn_lost:int}$' + - '%{GREEDYDATA:macos.unified_log.event.message.original}' + - convert: + field: macos.unified_log.event.message.client_ip + tag: convert_client_ip_to_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: host.id + tag: set_host_id + copy_from: macos.unified_log.event.message.hostname + ignore_empty_value: true + - set: + field: process.pid + tag: set_process_pid + copy_from: macos.unified_log.event.message.pid + ignore_empty_value: true + - set: + field: url.original + tag: set_url_original + copy_from: macos.unified_log.event.message.url + ignore_empty_value: true + - set: + field: source.ip + tag: set_source_ip + copy_from: macos.unified_log.event.message.client_ip + ignore_empty_value: true + - set: + field: source.port + tag: set_source_port + copy_from: macos.unified_log.event.message.client_port + ignore_empty_value: true + - set: + field: destination.port + tag: set_destination_port + copy_from: macos.unified_log.event.message.server_port + ignore_empty_value: true + - set: + field: source.bytes + tag: set_source_bytes + copy_from: macos.unified_log.event.message.bytes_in + ignore_empty_value: true + - set: + field: destination.bytes + tag: set_destination_bytes + copy_from: macos.unified_log.event.message.bytes_out + ignore_empty_value: true + - set: + field: source.packets + tag: set_source_packets + copy_from: macos.unified_log.event.message.packets_in + ignore_empty_value: true + - set: + field: destination.packets + tag: set_destination_packets + copy_from: macos.unified_log.event.message.packets_out + ignore_empty_value: true + - script: + lang: painless + tag: calculate_total_bytes + description: calculate total bytes of in and out if in and out are not null + if: ctx.source?.bytes != null && ctx.destination?.bytes != null + source: | + ctx.network = new HashMap(); + ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes + - script: + lang: painless + tag: calculate_total_packets + description: calculate total packets of in and out if in and out are not null + if: ctx.source?.packets != null && ctx.destination?.packets != null + source: | + if (ctx.network == null) { + ctx.network = new HashMap(); + } + ctx.network.packets = ctx.source.packets + ctx.destination.packets + - uri_parts: + field: url.original + tag: uri_parts_url_original + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.hosts + tag: append_host_id_into_related_hosts + value: '{{{host.id}}}' + allow_duplicates: false + if: ctx.host?.id != null + - append: + field: related.ip + tag: append_source_ip_into_related_ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - set: + field: process.code_signature.digest_algorithm + tag: set_process_code_signature_digest_algorithm + copy_from: macos.unified_log.event.message.signature_alg + ignore_empty_value: true + - set: + field: macos.unified_log.event.message.resumed + tag: set_event_message_resumed_true + value: true + if: ctx.macos?.unified_log?.event?.message?.resumed == "1" + - set: + field: macos.unified_log.event.message.resumed + tag: set_event_message_resumed_false + value: false + if: ctx.macos?.unified_log?.event?.message?.resumed == "0" + - set: + field: macos.unified_log.event.message.offered_ticket + tag: set_event_message_offered_ticket_true + value: true + if: ctx.macos?.unified_log?.event?.message?.offered_ticket == "1" + - set: + field: macos.unified_log.event.message.offered_ticket + tag: set_event_message_offered_ticket_false + value: false + if: ctx.macos?.unified_log?.event?.message?.offered_ticket == "0" + - set: + field: macos.unified_log.event.message.false_started + tag: set_event_message_false_started_true + value: true + if: ctx.macos?.unified_log?.event?.message?.false_started == "1" + - set: + field: macos.unified_log.event.message.false_started + tag: set_event_message_false_started_false + value: false + if: ctx.macos?.unified_log?.event?.message?.false_started == "0" + - set: + field: macos.unified_log.event.message.ocsp_received + tag: set_event_message_oscp_received_true + value: true + if: ctx.macos?.unified_log?.event?.message?.ocsp_received == "1" + - set: + field: macos.unified_log.event.message.ocsp_received + tag: set_event_message_oscp_received_false + value: false + if: ctx.macos?.unified_log?.event?.message?.ocsp_received == "0" + - set: + field: macos.unified_log.event.message.sct_received + tag: set_event_message_sct_received_true + value: true + if: ctx.macos?.unified_log?.event?.message?.sct_received == "1" + - set: + field: macos.unified_log.event.message.sct_received + tag: set_event_message_sct_received_false + value: false + if: ctx.macos?.unified_log?.event?.message?.sct_received == "0" + - set: + field: http.request.bytes + tag: set_http_request_bytes + copy_from: macos.unified_log.event.message.request_bytes + ignore_empty_value: true + - set: + field: http.response.bytes + tag: set_http_response_bytes + copy_from: macos.unified_log.event.message.response_bytes + ignore_empty_value: true + - set: + field: http.response.status_code + tag: set_http_response_status_code + copy_from: macos.unified_log.event.message.response_status + ignore_empty_value: true + - set: + field: destination.port + tag: set_destination_port + copy_from: macos.unified_log.event.message.dest_port + ignore_empty_value: true + - set: + field: source.port + tag: set_source_port + copy_from: macos.unified_log.event.message.src_port + ignore_empty_value: true + - dissect: + field: macos.unified_log.event.message.ecn_in_out_miss + tag: dissect_ecn_in_out_miss + pattern: "%{macos.unified_log.event.message.ecn_in}/%{macos.unified_log.event.message.ecn_out}/%{macos.unified_log.event.message.ecn_miss}" + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.ecn_in + tag: convert_macos_unified_log_event_message_ecn_in_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.ecn_out + tag: convert_macos_unified_log_event_message_ecn_out_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.ecn_miss + tag: convert_macos_unified_log_event_message_ecn_miss_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - dissect: + field: macos.unified_log.event.message.rd_t_in_out + tag: dissect_rd_t_in_out + pattern: "%{macos.unified_log.event.message.rd_t_in}/%{macos.unified_log.event.message.rd_t_out}" + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.rd_t_in + tag: convert_macos_unified_log_event_message_rd_t_in_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.rd_t_out + tag: convert_macos_unified_log_event_message_rd_t_out_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - dissect: + field: macos.unified_log.event.message.tfo_in_out_miss + tag: dissect_tfo_in_out_miss + pattern: "%{macos.unified_log.event.message.tfo_in}/%{macos.unified_log.event.message.tfo_out}/%{macos.unified_log.event.message.tfo_miss}" + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.tfo_in + tag: convert_macos_unified_log_event_message_tfo_in_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.tfo_out + tag: convert_macos_unified_log_event_message_tfo_out_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.tfo_miss + tag: convert_macos_unified_log_event_message_tfo_miss_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - dissect: + field: macos.unified_log.event.message.wr_t_in_out + tag: dissect_wr_t_in_out + pattern: "%{macos.unified_log.event.message.wr_t_in}/%{macos.unified_log.event.message.wr_t_out}" + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.wr_t_in + tag: convert_macos_unified_log_event_message_wr_t_in_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: macos.unified_log.event.message.wr_t_out + tag: convert_macos_unified_log_event_message_wr_t_out_to_long + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - dissect: + field: macos.unified_log.event.message.accurate_ecn + tag: dissect_accurate_ecn + pattern: "%{macos.unified_log.event.message.accurate_ecn_client}/%{macos.unified_log.event.message.accurate_ecn_server}" + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +on_failure: + - append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/macos/data_stream/unified_log/fields/base-fields.yml b/packages/macos/data_stream/unified_log/fields/base-fields.yml new file mode 100644 index 00000000000..1c982df54d5 --- /dev/null +++ b/packages/macos/data_stream/unified_log/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: macos +- name: event.dataset + type: constant_keyword + external: ecs + value: macos.unified_log +- name: '@timestamp' + external: ecs diff --git a/packages/macos/data_stream/unified_log/fields/beats.yml b/packages/macos/data_stream/unified_log/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/macos/data_stream/unified_log/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/macos/data_stream/unified_log/fields/fields.yml b/packages/macos/data_stream/unified_log/fields/fields.yml new file mode 100644 index 00000000000..d071be3f1c7 --- /dev/null +++ b/packages/macos/data_stream/unified_log/fields/fields.yml @@ -0,0 +1,310 @@ +- name: macos + type: group + fields: + - name: unified_log + type: group + fields: + - name: activity_identifier + type: keyword + - name: backtrace + type: group + fields: + - name: frames + type: group + fields: + - name: image + type: group + fields: + - name: offset + type: keyword + - name: uuid + type: keyword + - name: boot_uuid + type: keyword + - name: category + type: keyword + - name: event + type: group + fields: + - name: category + type: keyword + - name: message + type: group + fields: + - name: account_id + type: keyword + - name: accurate_ecn_client + type: keyword + - name: accurate_ecn_server + type: keyword + - name: ack + type: keyword + - name: acks_compressed + type: long + - name: acks_delayed + type: long + - name: alpn + type: keyword + - name: attribution + type: keyword + - name: base_rtt_ms + type: keyword + - name: bundle_id + type: keyword + - name: bytes_in + type: long + - name: bytes_out + type: long + - name: cache_hit + type: boolean + - name: cipher_suite + type: keyword + - name: client_ip + type: ip + - name: client_port + type: long + - name: connection + type: long + - name: connection_detail + type: keyword + - name: connection_duration_ms + type: long + - name: connection_id + type: keyword + - name: connection_identifier + type: keyword + - name: connection_time + type: keyword + - name: connection_uuid + type: keyword + - name: delayed_acks_sent + type: long + - name: description + type: keyword + - name: dest_port + type: long + - name: direct_logout_type + type: long + - name: dns_duration + type: keyword + - name: dns_start + type: keyword + - name: domain_lookup_duration_ms + type: long + - name: duration + type: keyword + - name: ecn_acked + type: long + - name: ecn_in + type: long + - name: ecn_lost + type: long + - name: ecn_marked + type: long + - name: ecn_miss + type: long + - name: ecn_out + type: long + - name: ecn_sent + type: long + - name: expected_workload + type: keyword + - name: false_started + type: boolean + - name: flags + type: keyword + - name: flight_time + type: keyword + - name: group + type: keyword + - name: group_id + type: keyword + - name: guest_account + type: long + - name: home_directory_path + type: keyword + - name: hostname + type: keyword + - name: hostname_port + type: long + - name: init_flag + type: long + - name: interface + type: keyword + - name: listener + type: boolean + - name: mach + type: boolean + - name: name + type: keyword + - name: ocsp_received + type: boolean + - name: offered_ticket + type: boolean + - name: out_of_order_bytes + type: long + - name: packets_in + type: long + - name: packets_out + type: long + - name: pake + type: keyword + - name: path_status + type: keyword + - name: peer + type: boolean + - name: pid + type: long + - name: privacy_stance + type: keyword + - name: private_relay + type: boolean + - name: protocol + type: keyword + - name: rd_t_in + type: long + - name: rd_t_out + type: long + - name: read_stalls + type: long + - name: request_bytes + type: long + - name: request_duration_ms + type: long + - name: request_start_ms + type: long + - name: response_bytes + type: long + - name: response_duration_ms + type: long + - name: response_start_ms + type: long + - name: response_status + type: long + - name: resumed + type: boolean + - name: retransmitted_bytes + type: long + - name: rtt + type: keyword + - name: rtt_cache + type: keyword + - name: rtt_nc_ms + type: keyword + - name: rtt_updates + type: long + - name: rtt_var_ms + type: keyword + - name: rtt_var_nc_ms + type: keyword + - name: sct_received + type: boolean + - name: secure_connection_duration_ms + type: long + - name: seq + type: keyword + - name: server_id + type: keyword + - name: server_port + type: long + - name: session_agent_pid + type: keyword + - name: session_uuid + type: keyword + - name: signature_alg + type: keyword + - name: src_port + type: long + - name: state + type: keyword + - name: syns + type: long + - name: task_uid + type: keyword + - name: tcp_duration + type: keyword + - name: tcp_start + type: keyword + - name: tfo_in + type: long + - name: tfo_miss + type: long + - name: tfo_out + type: long + - name: timestamp_enabled + type: long + - name: tls_duration + type: keyword + - name: tls_version + type: keyword + - name: traffic_class + type: keyword + - name: transaction_duration_ms + type: long + - name: tso_enabled + type: long + - name: url + type: keyword + - name: url_hash + type: keyword + - name: user + type: group + fields: + - name: guid + type: keyword + - name: id + type: keyword + - name: long_name + type: keyword + - name: name + type: keyword + - name: win + type: keyword + - name: wr_t_in + type: long + - name: wr_t_out + type: long + - name: write_stalls + type: long + - name: type + type: keyword + - name: format_string + type: keyword + - name: mach_timestamp + type: double + - name: message_type + type: keyword + - name: parent_activity_identifier + type: keyword + - name: process + type: group + fields: + - name: id + type: long + - name: image_path + type: keyword + - name: image_uuid + type: keyword + - name: sender + type: group + fields: + - name: image_path + type: keyword + - name: image_uuid + type: keyword + - name: program_counter + type: long + - name: source + type: keyword + - name: subsystem + type: keyword + - name: thread_id + type: long + - name: timestamp + type: date + - name: timezone_name + type: keyword + - name: trace_id + type: keyword + - name: user_id + type: keyword diff --git a/packages/macos/data_stream/unified_log/manifest.yml b/packages/macos/data_stream/unified_log/manifest.yml new file mode 100644 index 00000000000..428cdeae564 --- /dev/null +++ b/packages/macos/data_stream/unified_log/manifest.yml @@ -0,0 +1,182 @@ +title: Collect unified logs from macOS. +type: logs +streams: + - input: unifiedlogs + title: macOS unified logs + description: Collect macOS unified logs. + template_path: unifiedlogs.yml.hbs + enabled: false + vars: + - name: predicate + type: text + title: Predicate + description: | + Filters messages using the provided predicate based on NSPredicate. + A compound predicate or multiple predicates can be provided as a list. + + For detailed information on the use of predicate based filtering, + please refer to the https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.html[Predicate Programming Guide]. + multi: true + show_user: true + - name: authentication + type: bool + title: Authentication + description: | + Collect authentication logs. + show_user: true + - name: user_and_account_management + type: bool + title: User & Account management + description: | + Collect user and account management logs. + show_user: true + - name: process_execution_monitoring + type: bool + title: Process execution monitoring + description: | + Collect process execution monitoring logs. + show_user: true + - name: network_activity + type: bool + title: Network activity + description: | + Collect network activity logs. + show_user: true + - name: file_reads_writes + type: bool + title: File reads/writes + description: | + Collect file reads/writes logs. + show_user: true + - name: system_changes + type: bool + title: System changes + description: | + Collect system changes logs. + show_user: true + - name: advanced_monitoring + type: bool + title: Advanced monitoring + description: | + Collect advanced monitoring logs. + show_user: true + - name: start + type: text + title: Start date + description: | + Shows content starting from the provided date. + The following date/time formats are accepted: + `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, `YYYY-MM-DD HH:MM:SSZZZZZ`. + show_user: false + - name: end + type: text + title: End date + description: | + Shows content up to the provided date. + The following date/time formats are accepted: + `YYYY-MM-DD`, `YYYY-MM-DD HH:MM:SS`, `YYYY-MM-DD HH:MM:SSZZZZZ`. + show_user: false + - name: process + type: text + title: Process + description: | + A list of the processes on which to operate. It accepts a PID or process name. + multi: true + show_user: false + - name: source + type: bool + title: Include source + description: | + Include symbol names and source line numbers for messages, if available. + show_user: false + - name: info + type: bool + title: Include info + description: | + Disable or enable info level messages. + show_user: false + - name: debug + type: bool + title: Include debug + description: | + Disable or enable debug level messages. + show_user: false + - name: backtrace + type: bool + title: Include backtrace + description: | + Disable or enable backtrace level messages. + show_user: false + - name: signpost + type: bool + title: Include signpost + description: | + Disable or enable signpost level messages. + show_user: false + - name: unreliable + type: bool + title: Annotate unreliable + description: | + Annotate events with whether the log was emitted unreliably. + show_user: false + - name: mach_continuous_time + type: bool + title: Use mach continuous time + description: | + Use mach continuous time timestamps rather than walltime. + show_user: false + - name: backfill + type: bool + title: Must backfill + description: | + If set to true the input will process all available logs since the beginning + of time the first time it starts. + show_user: false + - name: archive_file + type: text + title: Archive file + description: | + Display events stored in the given archive. + The archive must be a valid log archive bundle with the suffix `.logarchive`. + show_user: false + - name: trace_file + type: text + title: Trace file + description: | + Display events stored in the given `.tracev3` file. + In order to be decoded, the file must be contained within a valid `.logarchive`. + show_user: false + - name: preserve_original_event + type: bool + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field event.original. + multi: false + required: false + show_user: true + default: false + - name: tags + type: text + title: Tags + description: Tags for the data-stream. + multi: true + required: true + show_user: false + default: + - forwarded + - macos-unified_log + - name: preserve_duplicate_custom_fields + required: false + title: Preserve duplicate custom fields + description: Preserve macos.unified_log fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + show_user: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. diff --git a/packages/macos/docs/README.md b/packages/macos/docs/README.md new file mode 100644 index 00000000000..b4e340e4bf4 --- /dev/null +++ b/packages/macos/docs/README.md @@ -0,0 +1,295 @@ +# macOS Integration for Elastic + +## Overview + +The macOS integration for Elastic allows you to collect and analyze unified logs from macOS systems. This integration leverages macOS's unified logging system to provide comprehensive visibility into system activities, security events, and application behaviors on macOS endpoints. + +macOS unified logging is Apple's centralized logging system that captures log messages from the kernel, system processes, and applications. This integration enables security teams to monitor macOS endpoints for suspicious activities, troubleshoot system issues, and maintain compliance with security policies. + +### Compatibility + +The macOS integration is compatible with macOS systems that support unified logging (macOS 10.12 Sierra and later). + +### How it works + +This integration uses the `unifiedlogs` input to collect log data from the macOS unified logging system. It can collect logs in real-time or from archived log files, with configurable filtering based on predicates, processes, and log levels. + +## What data does this integration collect? + +This integration collects unified log messages from macOS systems using configurable predicates to filter specific event types, including: + +- **Authentication logs**: User login/logout events, authentication failures, and credential-related activities + ``` + - 'process contains "sudo" OR composedMessage CONTAINS "sudo" OR process contains "su"' + - 'process contains "loginwindow" and composedMessage CONTAINS "sessionDidLogin"' + - 'process == "sshd"' + ``` +- **User & Account management**: User account creation, modification, and deletion events + ``` + - 'process == "sysadminctl" AND composedMessage CONTAINS "Creating user"' + - 'process == "dscl" AND composedMessage CONTAINS "create"' + - 'process == "sysadminctl" AND composedMessage CONTAINS "Deleting user"' + - 'process == "dscl" AND composedMessage CONTAINS "delete"' + - '(process == "dscl" OR process == "opendirectoryd") AND composedMessage CONTAINS "admin"' + ``` +- **Process execution monitoring**: Process creation, termination, and execution details + ``` + - 'eventMessage CONTAINS[c] "exec" OR eventMessage CONTAINS[c] "fork" OR eventMessage CONTAINS[c] "exited" OR eventMessage CONTAINS[c] "terminated"' + - 'subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid")' + - 'composedMessage CONTAINS "com.apple.quarantine"' + ``` +- **Network activity**: Network connections, DNS queries, and network-related events + ``` + - 'composedMessage CONTAINS "connect" AND (composedMessage CONTAINS "TCP" OR composedMessage CONTAINS "UDP")' + - 'composedMessage CONTAINS "disconnect" OR composedMessage CONTAINS "closed connection"' + - 'subsystem == "com.apple.necp" AND composedMessage CONTAINS "new connection"' + - 'eventMessage CONTAINS[c] "listening" AND eventMessage CONTAINS[c] "service"' + ``` +- **File reads/writes**: File system access, modifications, and permission changes + ``` + - '(eventMessage CONTAINS "open" OR eventMessage CONTAINS "write" OR eventMessage CONTAINS "unlink" OR eventMessage CONTAINS "rename") AND ((processImagePath BEGINSWITH "/System") OR (processImagePath BEGINSWITH "/bin") OR (processImagePath BEGINSWITH "/sbin") OR (processImagePath BEGINSWITH "/usr" AND NOT processImagePath BEGINSWITH "/usr/local") OR (processImagePath BEGINSWITH "/etc"))' + - 'subsystem == "com.apple.quarantine" OR eventMessage CONTAINS "com.apple.quarantine"' + ``` +- **System changes**: System configuration changes, software installations, and updates + ``` + - 'subsystem == "com.apple.security" OR subsystem == "com.apple.systempolicy" OR subsystem == "com.apple.installer" OR process == "Installer" OR process == "softwareupdated" OR eventMessage CONTAINS[c] "removed package" OR eventMessage CONTAINS[c] "forget package"' + ``` +- **Advanced monitoring**: Detailed system and application behavior logs + ``` + - '(composedMessage CONTAINS ".plist" AND (composedMessage CONTAINS "write" OR composedMessage CONTAINS "modified")) OR (composedMessage CONTAINS ".ssh" AND (composedMessage CONTAINS "write" OR composedMessage CONTAINS "modified")) OR (process == "kernel" AND composedMessage CONTAINS "boot") OR (process == "launchd" AND (composedMessage CONTAINS "started" OR composedMessage CONTAINS "listening")) OR (process == "loginwindow" AND composedMessage CONTAINS "sessionDidLogin") OR (composedMessage CONTAINS "posix_spawn" OR composedMessage CONTAINS "exec") OR (subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid"))' + ``` + +### Supported use cases +The macOS integration in Elastic enables comprehensive monitoring and analysis of system activities, network traffic, and application behavior across macOS devices. It supports use cases such as detecting security incidents, tracking network usage, auditing system events, and analyzing performance trends. By collecting and visualizing unified logs, it helps security and IT teams gain real-time visibility, identify anomalies, ensure compliance, and enhance overall endpoint security within macOS environments. + +## What do I need to use this integration? + +### From Elastic + +- Elastic Agent must be installed on the macOS system you want to monitor +- Appropriate permissions to read system logs on the macOS system + +### From macOS + +The integration requires: + +- macOS 10.12 Sierra or later (for unified logging support) +- Appropriate system permissions to access unified logs +- For some log categories, administrative privileges may be required + +## How do I deploy this integration? + +This integration requires Elastic Agent to be installed on the macOS systems you want to monitor. + +### Agent-based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. + +## Setup + +1. In the top search bar in Kibana, search for **Integrations**. +2. In the search bar, type **macOS**. +3. Select the **macOS** integration from the search results. +4. Select **Add macOS** to add the integration. +5. Enable and configure only the collection methods which you will use. + + **Basic Configuration:** + - Enable the log categories you want to collect: + - Authentication + - User & Account management + - Process execution monitoring + - Network activity + - File reads/writes + - System changes + - Advanced monitoring + + **Advanced Configuration (Optional):** + - **Predicate**: Use NSPredicate-based filtering to collect specific log messages + - **Process**: Specify particular processes to monitor (by PID or name) + - **Start/End dates**: Define time ranges for historical log collection + - **Log levels**: Configure which log levels to include (info, debug, backtrace, signpost) + - **Archive/Trace files**: Specify log archive or trace files to process + +6. Select **Save and continue** to save the integration. + +### Validation + +#### Dashboards populated + +1. In the top search bar in Kibana, search for **Dashboards**. +2. In the search bar, type **macOS**. +3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated. + +## Performance and scaling + +- Unified log collection can generate significant data volume, especially with debug-level logging enabled +- Consider using predicates to filter logs and reduce data volume +- Monitor system performance impact when collecting high-volume log categories + +For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. + +## Reference + +### ECS field reference + +#### Unified logs + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| macos.unified_log.activity_identifier | | keyword | +| macos.unified_log.backtrace.frames.image.offset | | keyword | +| macos.unified_log.backtrace.frames.image.uuid | | keyword | +| macos.unified_log.boot_uuid | | keyword | +| macos.unified_log.category | | keyword | +| macos.unified_log.event.category | | keyword | +| macos.unified_log.event.message.account_id | | keyword | +| macos.unified_log.event.message.accurate_ecn_client | | keyword | +| macos.unified_log.event.message.accurate_ecn_server | | keyword | +| macos.unified_log.event.message.ack | | keyword | +| macos.unified_log.event.message.acks_compressed | | long | +| macos.unified_log.event.message.acks_delayed | | long | +| macos.unified_log.event.message.alpn | | keyword | +| macos.unified_log.event.message.attribution | | keyword | +| macos.unified_log.event.message.base_rtt_ms | | keyword | +| macos.unified_log.event.message.bundle_id | | keyword | +| macos.unified_log.event.message.bytes_in | | long | +| macos.unified_log.event.message.bytes_out | | long | +| macos.unified_log.event.message.cache_hit | | boolean | +| macos.unified_log.event.message.cipher_suite | | keyword | +| macos.unified_log.event.message.client_ip | | ip | +| macos.unified_log.event.message.client_port | | long | +| macos.unified_log.event.message.connection | | long | +| macos.unified_log.event.message.connection_detail | | keyword | +| macos.unified_log.event.message.connection_duration_ms | | long | +| macos.unified_log.event.message.connection_id | | keyword | +| macos.unified_log.event.message.connection_identifier | | keyword | +| macos.unified_log.event.message.connection_time | | keyword | +| macos.unified_log.event.message.connection_uuid | | keyword | +| macos.unified_log.event.message.delayed_acks_sent | | long | +| macos.unified_log.event.message.description | | keyword | +| macos.unified_log.event.message.dest_port | | long | +| macos.unified_log.event.message.direct_logout_type | | long | +| macos.unified_log.event.message.dns_duration | | keyword | +| macos.unified_log.event.message.dns_start | | keyword | +| macos.unified_log.event.message.domain_lookup_duration_ms | | long | +| macos.unified_log.event.message.duration | | keyword | +| macos.unified_log.event.message.ecn_acked | | long | +| macos.unified_log.event.message.ecn_in | | long | +| macos.unified_log.event.message.ecn_lost | | long | +| macos.unified_log.event.message.ecn_marked | | long | +| macos.unified_log.event.message.ecn_miss | | long | +| macos.unified_log.event.message.ecn_out | | long | +| macos.unified_log.event.message.ecn_sent | | long | +| macos.unified_log.event.message.expected_workload | | keyword | +| macos.unified_log.event.message.false_started | | boolean | +| macos.unified_log.event.message.flags | | keyword | +| macos.unified_log.event.message.flight_time | | keyword | +| macos.unified_log.event.message.group | | keyword | +| macos.unified_log.event.message.group_id | | keyword | +| macos.unified_log.event.message.guest_account | | long | +| macos.unified_log.event.message.home_directory_path | | keyword | +| macos.unified_log.event.message.hostname | | keyword | +| macos.unified_log.event.message.hostname_port | | long | +| macos.unified_log.event.message.init_flag | | long | +| macos.unified_log.event.message.interface | | keyword | +| macos.unified_log.event.message.listener | | boolean | +| macos.unified_log.event.message.mach | | boolean | +| macos.unified_log.event.message.name | | keyword | +| macos.unified_log.event.message.ocsp_received | | boolean | +| macos.unified_log.event.message.offered_ticket | | boolean | +| macos.unified_log.event.message.out_of_order_bytes | | long | +| macos.unified_log.event.message.packets_in | | long | +| macos.unified_log.event.message.packets_out | | long | +| macos.unified_log.event.message.pake | | keyword | +| macos.unified_log.event.message.path_status | | keyword | +| macos.unified_log.event.message.peer | | boolean | +| macos.unified_log.event.message.pid | | long | +| macos.unified_log.event.message.privacy_stance | | keyword | +| macos.unified_log.event.message.private_relay | | boolean | +| macos.unified_log.event.message.protocol | | keyword | +| macos.unified_log.event.message.rd_t_in | | long | +| macos.unified_log.event.message.rd_t_out | | long | +| macos.unified_log.event.message.read_stalls | | long | +| macos.unified_log.event.message.request_bytes | | long | +| macos.unified_log.event.message.request_duration_ms | | long | +| macos.unified_log.event.message.request_start_ms | | long | +| macos.unified_log.event.message.response_bytes | | long | +| macos.unified_log.event.message.response_duration_ms | | long | +| macos.unified_log.event.message.response_start_ms | | long | +| macos.unified_log.event.message.response_status | | long | +| macos.unified_log.event.message.resumed | | boolean | +| macos.unified_log.event.message.retransmitted_bytes | | long | +| macos.unified_log.event.message.rtt | | keyword | +| macos.unified_log.event.message.rtt_cache | | keyword | +| macos.unified_log.event.message.rtt_nc_ms | | keyword | +| macos.unified_log.event.message.rtt_updates | | long | +| macos.unified_log.event.message.rtt_var_ms | | keyword | +| macos.unified_log.event.message.rtt_var_nc_ms | | keyword | +| macos.unified_log.event.message.sct_received | | boolean | +| macos.unified_log.event.message.secure_connection_duration_ms | | long | +| macos.unified_log.event.message.seq | | keyword | +| macos.unified_log.event.message.server_id | | keyword | +| macos.unified_log.event.message.server_port | | long | +| macos.unified_log.event.message.session_agent_pid | | keyword | +| macos.unified_log.event.message.session_uuid | | keyword | +| macos.unified_log.event.message.signature_alg | | keyword | +| macos.unified_log.event.message.src_port | | long | +| macos.unified_log.event.message.state | | keyword | +| macos.unified_log.event.message.syns | | long | +| macos.unified_log.event.message.task_uid | | keyword | +| macos.unified_log.event.message.tcp_duration | | keyword | +| macos.unified_log.event.message.tcp_start | | keyword | +| macos.unified_log.event.message.tfo_in | | long | +| macos.unified_log.event.message.tfo_miss | | long | +| macos.unified_log.event.message.tfo_out | | long | +| macos.unified_log.event.message.timestamp_enabled | | long | +| macos.unified_log.event.message.tls_duration | | keyword | +| macos.unified_log.event.message.tls_version | | keyword | +| macos.unified_log.event.message.traffic_class | | keyword | +| macos.unified_log.event.message.transaction_duration_ms | | long | +| macos.unified_log.event.message.tso_enabled | | long | +| macos.unified_log.event.message.url | | keyword | +| macos.unified_log.event.message.url_hash | | keyword | +| macos.unified_log.event.message.user.guid | | keyword | +| macos.unified_log.event.message.user.id | | keyword | +| macos.unified_log.event.message.user.long_name | | keyword | +| macos.unified_log.event.message.user.name | | keyword | +| macos.unified_log.event.message.win | | keyword | +| macos.unified_log.event.message.wr_t_in | | long | +| macos.unified_log.event.message.wr_t_out | | long | +| macos.unified_log.event.message.write_stalls | | long | +| macos.unified_log.event.type | | keyword | +| macos.unified_log.format_string | | keyword | +| macos.unified_log.mach_timestamp | | double | +| macos.unified_log.message_type | | keyword | +| macos.unified_log.parent_activity_identifier | | keyword | +| macos.unified_log.process.id | | long | +| macos.unified_log.process.image_path | | keyword | +| macos.unified_log.process.image_uuid | | keyword | +| macos.unified_log.sender.image_path | | keyword | +| macos.unified_log.sender.image_uuid | | keyword | +| macos.unified_log.sender.program_counter | | long | +| macos.unified_log.source | | keyword | +| macos.unified_log.subsystem | | keyword | +| macos.unified_log.thread_id | | long | +| macos.unified_log.timestamp | | date | +| macos.unified_log.timezone_name | | keyword | +| macos.unified_log.trace_id | | keyword | +| macos.unified_log.user_id | | keyword | + + +### Inputs used + +These inputs can be used in this integration: + +- [Unified Logs](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-unifiedlogs) diff --git a/packages/macos/img/macos-logo.svg b/packages/macos/img/macos-logo.svg new file mode 100644 index 00000000000..baeedeed9bc --- /dev/null +++ b/packages/macos/img/macos-logo.svg @@ -0,0 +1,17 @@ + + + + + \ No newline at end of file diff --git a/packages/macos/img/macos-unified-logs-network-dashboard.png b/packages/macos/img/macos-unified-logs-network-dashboard.png new file mode 100644 index 00000000000..473239e2bb3 Binary files /dev/null and b/packages/macos/img/macos-unified-logs-network-dashboard.png differ diff --git a/packages/macos/img/macos-unified-logs-overview-dashboard.png b/packages/macos/img/macos-unified-logs-overview-dashboard.png new file mode 100644 index 00000000000..885c6eae8d9 Binary files /dev/null and b/packages/macos/img/macos-unified-logs-overview-dashboard.png differ diff --git a/packages/macos/kibana/dashboard/macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35.json b/packages/macos/kibana/dashboard/macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35.json new file mode 100644 index 00000000000..b39e082809e --- /dev/null +++ b/packages/macos/kibana/dashboard/macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35.json @@ -0,0 +1,819 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "0a00eb90-0f89-4a6f-8e36-982ad4b331d4": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "macos.unified_log.event.category", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Category" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "1e6cd679-9424-4f7a-a331-580f0bd5cae1": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "log.level", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Message Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "73034753-5b2e-4874-94b8-024d0d92295c": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "macos.unified_log.event.type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Type" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "This dashboard provides an overview of macOS unified logs.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "macos.unified_log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "macos.unified_log" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_4af59c8f-d1a1-49b9-b4e4-927304a4d114_dashboard", + "id": "4af59c8f-d1a1-49b9-b4e4-927304a4d114", + "label": "Overview", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_c2813a92-3079-46ca-b3e6-79796cc36725_dashboard", + "id": "c2813a92-3079-46ca-b3e6-79796cc36725", + "label": "Network", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 1, + "type": "dashboardLink" + } + ] + }, + "enhancements": {}, + "title": "Navigation" + }, + "gridData": { + "h": 5, + "i": "77764699-34eb-4325-8a41-63ef03163050", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "77764699-34eb-4325-8a41-63ef03163050", + "type": "links" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### MacOS\n \n#### Description\n\nThis dashboard provides visibility into the macOS Unified Logs data stream, offering insights into system and application events across the operating system. It highlights breakdowns of event categoies over time to identify key system components generating logs, along with detailed tables showcasing the top process image paths and top sender image paths for deeper operational context. Together, these visualizations help monitor system behavior, troubleshoot issues, and enhance macOS endpoint visibility.\n\n**[Integration Page](/app/integrations/detail/macos/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "title": "" + }, + "gridData": { + "h": 17, + "i": "da83d66c-b4a7-4ec9-a9be-d69453a2999a", + "w": 10, + "x": 0, + "y": 5 + }, + "panelIndex": "da83d66c-b4a7-4ec9-a9be-d69453a2999a", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6d111cc0-533f-4394-bee1-3befbb34d4ba", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6d111cc0-533f-4394-bee1-3befbb34d4ba": { + "columnOrder": [ + "7c85574f-2268-4341-bfae-bdf829de3747", + "d933d392-5b5b-4e93-aa2b-98762adbb762", + "96b6cb9a-0134-497c-9195-8c7c45d6f586" + ], + "columns": { + "7c85574f-2268-4341-bfae-bdf829de3747": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Category", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "96b6cb9a-0134-497c-9195-8c7c45d6f586", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 7 + }, + "sourceField": "macos.unified_log.event.category" + }, + "96b6cb9a-0134-497c-9195-8c7c45d6f586": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "sourceField": "macos.unified_log.event.category" + }, + "d933d392-5b5b-4e93-aa2b-98762adbb762": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "96b6cb9a-0134-497c-9195-8c7c45d6f586" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "6d111cc0-533f-4394-bee1-3befbb34d4ba", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "7c85574f-2268-4341-bfae-bdf829de3747", + "xAccessor": "d933d392-5b5b-4e93-aa2b-98762adbb762" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Aggregated Security Events over Time" + }, + "gridData": { + "h": 22, + "i": "27dfea44-7dd8-45ec-8caa-dacbbb35ed39", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "27dfea44-7dd8-45ec-8caa-dacbbb35ed39", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-42a78020-0d1f-443e-a82a-6df70600549d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "42a78020-0d1f-443e-a82a-6df70600549d": { + "columnOrder": [ + "33cf8fd2-12fc-47ba-8fe0-efc49a7ed68f", + "141b5b8f-7f60-43dd-b5e8-fcf827e5870f" + ], + "columns": { + "141b5b8f-7f60-43dd-b5e8-fcf827e5870f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "33cf8fd2-12fc-47ba-8fe0-efc49a7ed68f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Sender Image Path", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "141b5b8f-7f60-43dd-b5e8-fcf827e5870f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "macos.unified_log.sender.image_path" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "33cf8fd2-12fc-47ba-8fe0-efc49a7ed68f" + }, + { + "columnId": "141b5b8f-7f60-43dd-b5e8-fcf827e5870f" + } + ], + "layerId": "42a78020-0d1f-443e-a82a-6df70600549d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Sender Image Path" + }, + "gridData": { + "h": 17, + "i": "17e05963-7db3-4c42-bb49-e91532020f27", + "w": 17, + "x": 13, + "y": 22 + }, + "panelIndex": "17e05963-7db3-4c42-bb49-e91532020f27", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "222dbc47-abfa-49a7-b595-cb36fbe5057e": { + "columnOrder": [ + "28ff7ab6-2626-40ad-a700-2a72f55a285d", + "e6681111-ffdc-44ca-9d4f-dc3de6251033" + ], + "columns": { + "28ff7ab6-2626-40ad-a700-2a72f55a285d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Process Image Path", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "macos.unified_log.process.image_path" + }, + "e6681111-ffdc-44ca-9d4f-dc3de6251033": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "28ff7ab6-2626-40ad-a700-2a72f55a285d" + }, + { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033" + } + ], + "layerId": "222dbc47-abfa-49a7-b595-cb36fbe5057e", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Process Image Path" + }, + "gridData": { + "h": 17, + "i": "a4f33a70-ad6a-4eb0-9792-ac20951dc1e6", + "w": 18, + "x": 30, + "y": 22 + }, + "panelIndex": "a4f33a70-ad6a-4eb0-9792-ac20951dc1e6", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "222dbc47-abfa-49a7-b595-cb36fbe5057e": { + "columnOrder": [ + "28ff7ab6-2626-40ad-a700-2a72f55a285d", + "e6681111-ffdc-44ca-9d4f-dc3de6251033" + ], + "columns": { + "28ff7ab6-2626-40ad-a700-2a72f55a285d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "e6681111-ffdc-44ca-9d4f-dc3de6251033": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "28ff7ab6-2626-40ad-a700-2a72f55a285d" + }, + { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033" + } + ], + "layerId": "222dbc47-abfa-49a7-b595-cb36fbe5057e", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Active Users" + }, + "gridData": { + "h": 17, + "i": "c1f31ab0-242c-4afe-83be-26e428805e5f", + "w": 13, + "x": 0, + "y": 22 + }, + "panelIndex": "c1f31ab0-242c-4afe-83be-26e428805e5f", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs macOS] Overview", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-11-03T12:08:35.452Z", + "id": "macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35", + "name": "77764699-34eb-4325-8a41-63ef03163050:link_4af59c8f-d1a1-49b9-b4e4-927304a4d114_dashboard", + "type": "dashboard" + }, + { + "id": "macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426", + "name": "77764699-34eb-4325-8a41-63ef03163050:link_c2813a92-3079-46ca-b3e6-79796cc36725_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "27dfea44-7dd8-45ec-8caa-dacbbb35ed39:indexpattern-datasource-layer-6d111cc0-533f-4394-bee1-3befbb34d4ba", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "17e05963-7db3-4c42-bb49-e91532020f27:indexpattern-datasource-layer-42a78020-0d1f-443e-a82a-6df70600549d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a4f33a70-ad6a-4eb0-9792-ac20951dc1e6:indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c1f31ab0-242c-4afe-83be-26e428805e5f:indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_1e6cd679-9424-4f7a-a331-580f0bd5cae1:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_73034753-5b2e-4874-94b8-024d0d92295c:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_0a00eb90-0f89-4a6f-8e36-982ad4b331d4:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/macos/kibana/dashboard/macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426.json b/packages/macos/kibana/dashboard/macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426.json new file mode 100644 index 00000000000..3353d7072c5 --- /dev/null +++ b/packages/macos/kibana/dashboard/macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426.json @@ -0,0 +1,959 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, + "description": "This dashboard provides insights into the network logs of macOS.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "macos.unified_log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "macos.unified_log" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_4af59c8f-d1a1-49b9-b4e4-927304a4d114_dashboard", + "id": "4af59c8f-d1a1-49b9-b4e4-927304a4d114", + "label": "Overview", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_c2813a92-3079-46ca-b3e6-79796cc36725_dashboard", + "id": "c2813a92-3079-46ca-b3e6-79796cc36725", + "label": "Network", + "options": { + "openInNewTab": false, + "useCurrentDateRange": false, + "useCurrentFilters": false + }, + "order": 1, + "type": "dashboardLink" + } + ] + }, + "enhancements": {}, + "title": "Navigation" + }, + "gridData": { + "h": 5, + "i": "bb52edfd-2411-4192-bb53-3ae15e1ae411", + "w": 10, + "x": 0, + "y": 0 + }, + "panelIndex": "bb52edfd-2411-4192-bb53-3ae15e1ae411", + "type": "links" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-402c27e3-cf9b-4421-805a-7d39b77ccecc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "402c27e3-cf9b-4421-805a-7d39b77ccecc": { + "columnOrder": [ + "c970256c-4bd6-449d-b0a5-ef27d9931cc8", + "0b0042a3-61b9-43da-b715-6a1324f4cc5e", + "29bd5c87-11d0-45c7-8a16-1b59d3b17a07", + "abf06430-e5ff-4b0c-ad75-e4546633a481" + ], + "columns": { + "0b0042a3-61b9-43da-b715-6a1324f4cc5e": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Client IP", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "abf06430-e5ff-4b0c-ad75-e4546633a481", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "sourceField": "source.ip" + }, + "29bd5c87-11d0-45c7-8a16-1b59d3b17a07": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Duration", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "abf06430-e5ff-4b0c-ad75-e4546633a481", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "sourceField": "macos.unified_log.event.message.duration" + }, + "abf06430-e5ff-4b0c-ad75-e4546633a481": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count ", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "sourceField": "___records___" + }, + "c970256c-4bd6-449d-b0a5-ef27d9931cc8": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Client Port", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "abf06430-e5ff-4b0c-ad75-e4546633a481", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "sourceField": "source.port" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "c970256c-4bd6-449d-b0a5-ef27d9931cc8", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "abf06430-e5ff-4b0c-ad75-e4546633a481", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "0b0042a3-61b9-43da-b715-6a1324f4cc5e", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "29bd5c87-11d0-45c7-8a16-1b59d3b17a07", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "402c27e3-cf9b-4421-805a-7d39b77ccecc", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Active Network Connections" + }, + "gridData": { + "h": 15, + "i": "f9b11023-cea9-4f3c-98eb-98c9458fbe52", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "f9b11023-cea9-4f3c-98eb-98c9458fbe52", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "222dbc47-abfa-49a7-b595-cb36fbe5057e": { + "columnOrder": [ + "28ff7ab6-2626-40ad-a700-2a72f55a285d", + "e6681111-ffdc-44ca-9d4f-dc3de6251033" + ], + "columns": { + "28ff7ab6-2626-40ad-a700-2a72f55a285d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "State", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "macos.unified_log.event.message.state" + }, + "e6681111-ffdc-44ca-9d4f-dc3de6251033": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "28ff7ab6-2626-40ad-a700-2a72f55a285d" + }, + { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033" + } + ], + "layerId": "222dbc47-abfa-49a7-b595-cb36fbe5057e", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Message States" + }, + "gridData": { + "h": 19, + "i": "4727cd8f-69d7-44ef-8423-1b02118b3a40", + "w": 16, + "x": 0, + "y": 35 + }, + "panelIndex": "4727cd8f-69d7-44ef-8423-1b02118b3a40", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-42a78020-0d1f-443e-a82a-6df70600549d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "42a78020-0d1f-443e-a82a-6df70600549d": { + "columnOrder": [ + "33cf8fd2-12fc-47ba-8fe0-efc49a7ed68f", + "141b5b8f-7f60-43dd-b5e8-fcf827e5870f" + ], + "columns": { + "141b5b8f-7f60-43dd-b5e8-fcf827e5870f": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "33cf8fd2-12fc-47ba-8fe0-efc49a7ed68f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "141b5b8f-7f60-43dd-b5e8-fcf827e5870f", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "macos.unified_log.event.message.name" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "33cf8fd2-12fc-47ba-8fe0-efc49a7ed68f" + }, + { + "columnId": "141b5b8f-7f60-43dd-b5e8-fcf827e5870f" + } + ], + "layerId": "42a78020-0d1f-443e-a82a-6df70600549d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Message Names" + }, + "gridData": { + "h": 19, + "i": "0f4939aa-ab08-4e0c-9a9c-ddb95398d2d3", + "w": 16, + "x": 16, + "y": 35 + }, + "panelIndex": "0f4939aa-ab08-4e0c-9a9c-ddb95398d2d3", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "222dbc47-abfa-49a7-b595-cb36fbe5057e": { + "columnOrder": [ + "28ff7ab6-2626-40ad-a700-2a72f55a285d", + "e6681111-ffdc-44ca-9d4f-dc3de6251033" + ], + "columns": { + "28ff7ab6-2626-40ad-a700-2a72f55a285d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Task UID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "macos.unified_log.event.message.task_uid" + }, + "e6681111-ffdc-44ca-9d4f-dc3de6251033": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "28ff7ab6-2626-40ad-a700-2a72f55a285d" + }, + { + "columnId": "e6681111-ffdc-44ca-9d4f-dc3de6251033" + } + ], + "layerId": "222dbc47-abfa-49a7-b595-cb36fbe5057e", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Top Tasks" + }, + "gridData": { + "h": 19, + "i": "0630ba6f-b30c-418d-92c2-11ed80c688d4", + "w": 16, + "x": 32, + "y": 35 + }, + "panelIndex": "0630ba6f-b30c-418d-92c2-11ed80c688d4", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "### MacOS\n\n#### Description\n\nThis dashboard provides an overview of macOS Unified Logs, helping security and operations teams monitor system and network activities across macOS devices. It highlights top message names, states, and tasks to identify recurring system activities. Tables further enrich the analysis by listing active network connections, supporting efficient investigation and performance monitoring.\n\n**[Integration Page](/app/integrations/detail/macos/overview)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "title": "" + }, + "gridData": { + "h": 15, + "i": "f54a8b9e-3782-41ad-aea1-40772c7995ca", + "w": 10, + "x": 0, + "y": 5 + }, + "panelIndex": "f54a8b9e-3782-41ad-aea1-40772c7995ca", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a4a80cef-789a-406f-9303-f862091aeb35", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a4a80cef-789a-406f-9303-f862091aeb35": { + "columnOrder": [ + "d84f34a8-29e5-4e17-8a77-5497bc8c9c88", + "73c2f30a-da4d-45cf-8af2-468955b549d3" + ], + "columns": { + "73c2f30a-da4d-45cf-8af2-468955b549d3": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "macos.unified_log.event.category : \"Network Activity\" " + }, + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "sourceField": "___records___" + }, + "d84f34a8-29e5-4e17-8a77-5497bc8c9c88": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "73c2f30a-da4d-45cf-8af2-468955b549d3" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "a4a80cef-789a-406f-9303-f862091aeb35", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "d84f34a8-29e5-4e17-8a77-5497bc8c9c88" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Network Events over Time" + }, + "gridData": { + "h": 20, + "i": "00360852-34be-4825-a951-7ff808c8ce7a", + "w": 38, + "x": 10, + "y": 0 + }, + "panelIndex": "00360852-34be-4825-a951-7ff808c8ce7a", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs macOS] Network", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-11-03T12:08:34.356Z", + "id": "macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35", + "name": "bb52edfd-2411-4192-bb53-3ae15e1ae411:link_4af59c8f-d1a1-49b9-b4e4-927304a4d114_dashboard", + "type": "dashboard" + }, + { + "id": "macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426", + "name": "bb52edfd-2411-4192-bb53-3ae15e1ae411:link_c2813a92-3079-46ca-b3e6-79796cc36725_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "f9b11023-cea9-4f3c-98eb-98c9458fbe52:indexpattern-datasource-layer-402c27e3-cf9b-4421-805a-7d39b77ccecc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4727cd8f-69d7-44ef-8423-1b02118b3a40:indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0f4939aa-ab08-4e0c-9a9c-ddb95398d2d3:indexpattern-datasource-layer-42a78020-0d1f-443e-a82a-6df70600549d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0630ba6f-b30c-418d-92c2-11ed80c688d4:indexpattern-datasource-layer-222dbc47-abfa-49a7-b595-cb36fbe5057e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00360852-34be-4825-a951-7ff808c8ce7a:indexpattern-datasource-layer-a4a80cef-789a-406f-9303-f862091aeb35", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/macos/manifest.yml b/packages/macos/manifest.yml new file mode 100644 index 00000000000..ba7346277d3 --- /dev/null +++ b/packages/macos/manifest.yml @@ -0,0 +1,38 @@ +format_version: 3.3.2 +name: macos +title: macOS +version: 0.1.0 +description: Collect logs from macOS with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana: + version: ^8.18.0 || ^9.0.0 + elastic: + subscription: basic +icons: + - src: /img/macos-logo.svg + title: macOS logo + size: 32x32 + type: image/svg+xml +screenshots: + - src: /img/macos-unified-logs-overview-dashboard.png + title: MacOS Unified Logs Overview Dashboard + size: 600x600 + type: image/png + - src: /img/macos-unified-logs-network-dashboard.png + title: MacOS Unified Logs Network Dashboard + size: 600x600 + type: image/png +policy_templates: + - name: macos + title: macOS + description: Collect logs from macOS. + inputs: + - type: unifiedlogs + title: Collect unified logs from macOS + description: Collecting unified logs from macOS. +owner: + github: elastic/sec-linux-platform + type: elastic