Eslogger: Trace filesystem events using the Mac OS X endpoint security framework
9 months ago
- #macOS
- #security
- #debugging
- Disabling SIP is required to use dtrace or dtruss on macOS, similar to strace on Linux.
- Apple's Endpoint Security Framework provides tools for monitoring system events without disabling SIP.
- eslogger is a command-line tool for monitoring specific system events in JSONL format, usable with jq for processing.
- FileMonitor and ProcessMonitor are available via Homebrew for detailed file and process monitoring.
- Crescendo and Red Canary Mac Monitor are GUI applications that utilize the Endpoint Security Framework for system monitoring.