I have an iMac running OS X 10.7 that stands in a public space. Recently, someone stole a Mighty Mouse that was connected to it. I know the time period when it happened so I was wondering if I can find out what sort of activity was going on during back then. For example, what users were logging in, what apps were they running and when was the last time when this USB mouse was connected. I already went through system and kernel logs and they provide just a bit of useful info. What are the best practices of auditing Mac usage?
Thanks!
Best Answer
If you didn't install system accounting on this Mac, there isn't any way for you to get the processes back at the time of this bad event.
You can find when this mouse was connected for the last time by searching in the
/var/log/kernel.log
. On more recent versions of OSX (Yosemite, El Capitan, Sierra)/var/log/kernel.log
is merged in/var/log/system.log
. Within aterminal
orxterm
just type:or on more recent versions of OSX:
If you need to search back further, just use the compressed and saved previous versions with:
or on more recent versions of OSX:
To check who was connected on your system, just use the
last
command.If you want to have a basic auditing function on your system, you may easily start by turning the system accounting on. Here is how to turn it on. All these commande have to be typed with the
root
account. (Be carefull any typed letter, even a space counts).You can immediatly check that from now on and forever the kernel is registering any program launched:
As a simple example of use, the following command will show you which commands where used since the startup of the kernel accounting: