Merge pull request #310 from Pierre-Gronau-ndaal/patch-27

Update macos_unified_logs.yaml
tclahr · Jan 21, 2025 · 5250751 · 5250751
2 parents d332606 + 662b0dd
commit 5250751
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@
 - files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd].
 - files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
 - files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd].
+- files/logs/macos_unified_logs.yaml: Updated to include the collection of ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
 - files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd].
 - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd].
 - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux].

diff --git a/artifacts/files/logs/macos_unified_logs.yaml b/artifacts/files/logs/macos_unified_logs.yaml
@@ -1,4 +1,4 @@
-version: 4.0
+version: 4.1
 artifacts:
   -
     description: Collect macOS Unified Logs tracev3 files.
@@ -16,4 +16,24 @@ artifacts:
     supported_os: [macos]
     collector: file
     path: /private/var/db/diagnostics/timesync
-
+  -
+    description: Collect macOS Apple System Logs (ASL) files.
+    supported_os: [macos]
+    collector: file
+    path: /private/var/log/asl.db
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect macOS Apple System Logs (ASL) files.
+    supported_os: [macos]
+    collector: file
+    path: /private/var/log/asl.log
+    max_file_size: 1073741824 # 1GB
+  -
+    description: Collect macOS Apple System Logs (ASL) files.
+    supported_os: [macos]
+    collector: file
+    path: /private/var/log/asl/*
+    max_file_size: 1073741824 # 1GB
+
+# References:
+# https://darkdefender.medium.com/brief-introduction-to-macos-forensics-f817c9c83609