I am aware that older versions of OS X use secure.log, but I have been unable to find any definite answers as to where the the output log goes for for attempting to run a command with sudo privileges on a non-admin account, on macOS Sierra. When we see the command feedback "this incident will be reported"; where is that reported to and how can I see it on macOS Sierra.
Asked
Active
Viewed 5,815 times
1 Answers
11
The sudo logs now go to the new unified logging system in macOS 10.12, which can be searched using the log command.
For example, to show all sudo logs from the last 3 hours:
log show --style syslog --predicate 'process == "sudo"' --last 3h
To search all sudo logs for messages containing the string "user NOT in sudoers":
log show --style syslog --predicate 'process == "sudo" and eventMessage contains "user NOT in sudoers"'
Use man log or log help show to learn more about how to use the command.
Miles
- 459