I'm looking for logs on attempts by someone to access one of my Macs on a previous day. I have remote management running and I allow VNC access. In the logs I have found, I see the attempts they made, but there's no IP address logged. Where can I see this?
An example of a console log I have is "system.log.0" (backed up the last day). I have tons of these log events from when someone was connected:
(com.apple.screensharing[2323232]): Endpoint has been activated through legacy launch (3) API's
There is no other logged info.
Also, I don't have a "secure.log" file.
I just want to know what IPs were connected to my Mac during a specific time frame. Is there any other log or source of info in macOS Sierra I could harvest for this?
Best Answer
Beginning with macOS Sierra, there is a new unified logging system, which requires a bit more work to access than the old system.log, but includes far more details.
Use this command to show the last three days of access logs:
log show --last 3d --predicate 'processImagePath CONTAINS "screensharingd" AND eventMessage CONTAINS "Authentication"'
This will show timestamps, IP, username, and authentication failure/success for both VNC and Apple Screen Sharing connections.