The first item in the Unified Logs we will take a look at is a relatively simple one – evidence of the ‘sudo’ command.

In this example I’m attempting to view all the log types (including default and info) for the last day (--last 1d). The search/filter (--predicate) I’m using is looking for the ‘sudo’ process. This column highlighted in pink text.

log show --info --debug --last 1d --predicate 'process == "sudo"'

This has many entries not immediately useful to me, I can create a more specific query to filter the noise out. I’ve removed the arguments for debug and info messages as they do not appear to be needed for this query (they may for others so don’t forget about them!). To get just the entries of interest, I added a keyword search for ‘TTY=’ in the message column (eventMessage).

log show --last 1d --predicate 'process == "sudo" and eventMessage contains "TTY="'

Another technique to look at just the entries associated with a specific use of ‘sudo’ can be to filter by the Process ID (PID) by using ‘processID’. (I replaced info/debug message in the query not because its necessary but purely because its muscle memory for me to do so!)

log show --info --debug --last 1d --predicate 'processID == 26220

I tried to get a bit creative with ‘sudo’, so I incorrectly put a password in (twice) while trying to use ‘sudo -s’. I then put in the correct password. Note, I’m using the ‘last’ argument to only look at events in the last 20 minutes. Very useful if you are trying to research a certain scenario without having to scroll through millions of log entries!

log show --last 20m --info --debug --predicate 'process == "sudo" and eventMessage contains "TTY="'

While we’re here, it would be a shame not to take a quick look at ‘su’ as well. Oops, looks like I got the password wrong while doing a ‘su janedoe’ three times before finally getting it right.

I’ve changed this query a tiny bit. The process was changed to ‘su’ instead of ‘sudo’ and the keyword in the message from changed from ‘TTY=’ to ‘tty’ to capture these entries.

log show --last 20m --info --debug --predicate 'process == "su" and eventMessage contains "tty"'

Finally let’s get a query to find all the relevant ‘sudo’ and ‘su’ commands. I created a slightly more complex query that combines searching for two different processes (sudo and su) while still filtering for ‘tty’ in the message.

log show --last 20m --info --debug --predicate '(process == "su" or process == "sudo") and eventMessage contains "tty"'

To make query slicker , we can use ‘beginswith’ to just look for ‘su’ in the two processes.

log show --last 30m --info --debug --predicate 'process beginswith "su" and eventMessage contains "tty"'

And one last one, because I know you NEED to know!

Big thanks to one of my favorite comics for the classic content, these never get old! XKCD by Randall Munroe