Audit log collection made easy. Seamless as if it was made by Apple.
SOC2 Complience? We have you covered. logga collects a variety of authentication events, such as ssh, screen share, OpenDirectory login, and more. logga also gathers permission escalation events, like su and sudo executions.
Don't miss anything happening on macOS. Collect detailed process execution logs and forward them to your favourite logging backend. You choose the preferred log format and let logga do the rest.
logga works best with JSON, the most popular logging format of the Cloud Native era.
Whether you are dealing with Audit or Access logs1, choosing JSON format gives you the most insight into the collected events 2.
JSON is a great choice if your organization has established logging practices & infrastructure. Find out more in the documentation.
1Although you can choose from multiple formats for audit logs, access logs currently only support JSON formatting.
2JSON has a higher level of expressivity compared to the strict auditd format or the custom log format
{
"log": {
"args": [
"date",
"+%s"
],
"audit_token": {
"auid": 501,
"egid": 20,
"euid": 501,
"gid": 20,
"group": "staff",
"pid": 43278,
"uid": 501,
"username": "administrator"
},
"command": "/bin/date",
"env": ["SHELL=\/bin\/zsh"],
"parent_audit_token": { ... },
"responsible_audit_token": { ... },
"tty": "/dev/ttys001"
},
"timestamp": "2023-09-17T21:32:56.695Z"
}
The `auditd` formatter tries to follow the specification of the linux counterpart. Due to platform differences, logga's auditd formatter is not 100% compatible with, but pretty usable by ausearch.
It is a good choice when your organization already collects Linux audit logs and doesn't want to mix formats.
type=EXECVE msg=audit(1700003649:56): \
argc=3 a0=sh a1=-c \
a2=ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print $NF; exit}'
type=SYSCALL msg=audit(1700003649:56): \
arch=c000003e syscall=59 success=yes exit=0 \
a0=sh a1=-c \
a2=ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print $NF; exit}' \
items=1 ppid=571 pid=47410 \
auid=501 uid=501 gid=20 euid=501 egid=20 \
tty= ses=1 comm=sh exe=/bin/bash key="logga"
The audit logger supports custom log formatting. The field names are fixed, but other than that, you can go crazy with your own format.
Available fields:
timestamp, username, group, uid, guid, auid, euid, egid, pid, ppid, tty, exec_path, script, cwd, command, env, args
Find out more in the documentation.
We value your privacy: By default, logga doesn't collect or store customer data. On top of that, logga doesn't make any network requests. (After the beta period, the only network communication will be with the license server). logga persists logs locally, you keep full control over them.
logga is a native macOS application using minimal system resources. Without the accompanying menu bar application, it takes up even less! Based on our measurements, even at a very high volume of system events, logga doesn't significantly affect battery life.
logga is incredibly easy to install: manually by Installer, via brew or shell. logga is developer first: it is fully manageable via CLI. If you are a visual type, the UI has you covered.
logga works well with MDM: you can set up audit logging hands-free (without physical access to the macOS machine). Refer to the documentation to see the details.
logga has a dead simple, developer and automation-friendly configuration. It has sensible defaults and lets you have granular control over log format, rotation rules, and process muting.
logga supports JSON and auditd log formats out of the box. If you have something else in mind, the custom log format lets you go crazy with your preferred formatting. Short on disk capacity? Save disk space by compressing rotated log files.
By providing an SSO protected dashboard. Check who had access to your machines at a glance. Manage your team and billing.
Self host. Backup to S3. Forward logs without 3rd parties.
Would you like to be notified if someone connects to your nodes via SSH? Do you want an email or Slack message on each VNC event? We got you covered.
We try to make audit log collection easy on modern macOS. Our goal is to make logga as seamless as if it would be a built-in macOS application.
We believe logga is the best for companies or individuals who:
While Crowdstrike has undeniably amazing features, we could not find audit logging capabilities during our market research. They seem to collect access logs by parsing the Apple Unified Log store, which is inferior to logga's capabilities.
osquery seem to offer near-realtime process auditing capabilities. The documentation is a bit lacking, but based on the information osquery doesn't collect access logs. osquery organizes data into SQL tables, while logga supports multiple log formats.
Filebeat is a capable logga competitor. What logga can offer that Filebeat doesn't, is more agility from developers, better UX, more focused feature set, multiple log formats, better CLI support, better MDM support and long-term vision. logga is shaped by customer feedback and evolves faster than the Elastic offering.
Sorry, but no. logga is a special system extension, which Apple doesn't support uploading to the App Store just yet.
is a system extension application that you install as any other traditional GUI app. In order to load the extension part which collects the logs (via the logga app), you will need to manually grant Full Disk Access and approve running the binary. To avoid manual interactions, logga will be mostly handy for those who use MDM for fleet management. With the proper MDM configuration, running the logga application is seamless and can be easily integrated into the IT management workflow.
is a single binary (packaged as a macOS application for code signing & distribution). With logga daemon comes a LaunchDaemon, wwhich ensures that the binary always runs. It is in featue parity with the regular logga application, just the deployment method differs.
logga offers CLI functionality to support automatic deployment. In order to be able to install logga at scale in a fully automated manner, you will need MDM.
The reason: logga (all system extensions) needs Full Disk Access in order to be able to operate. Authorizing the FDA for an application is a manual process unless MDM is at play. This is an Apple side security requirement.
If you are an organization with a large macOS fleet, feel free to contact us with questions. We are happy to help!
Altough logga will be free during beta, it cannot stay free forever. We haven't figured out pricing & plans just yet, but imagine something like this:
Yes, on Github! Feel free to suggest additional features or report bugs.