As part of my work, I occasionally need to pull information from the unified system log, either directly on a Mac or from a sysdiagnose file, using the log command line tool. However, I also prefer to run as a standard user account most of the time and use privilege elevation tools like SAP’s Privileges or the privilege elevation functionality built into Jamf’s Self Service+ tool to get admin privileges when needed.

The combination of the two sometimes means I get halted while working because the log command line tool needs an account with admin privileges to run when it is getting log information from the unified system log on the Mac I’m using. Using the log command line tool doesn’t require root privileges or require admin authorization, but it needs to be run by a user with admin rights.

Note: This requirement for admin privileges does not appear to be coming from the log command line tool itself, but instead is coming from the unified system log. The reason I’m saying this is that accessing logs using the log tool from a sysdiagnose file does not require admin privileges. If any readers have more information about this topic, please let me know in the comments.

This has been an occasional annoyance because I get pulled briefly out of my focus while working in order to elevate my account’s privileges and then go back to my work. However, I was able to develop a solution for this issue using the sudo command line tool. For more details, please see below the jump.

This method uses the ability on macOS for the sudo command line tool to use properly formatted configurations for the sudo tool, where those configuration files are stored as plaintext files in the /private/etc/sudoers.d directory. The following process will create a sudo configuration which is stored in a plaintext file named logstandarduser which will be stored in the /private/etc/sudoers.d directory.

The configuration should be a plaintext file and formatted as followed:

A. Enter the following:

%staff

B. Hit the Tab key to create a tabbed space
C. Enter the rest of the line:

ALL = (ALL) /usr/bin/log

The complete configuration file should look like this:

What this does is create a sudo configuration which allows all members of the staff group on the Mac, which is a group that has all local users on the Mac as members, to run the log command line tool with root privileges. This removes the need for the account to have admin rights and enables accounts with only standard rights to use the log command line tool to get information from the unified system log on that Mac.

This sudo configuration can be deployed to Macs by either copying the logstandarduser file into the /private/etc/sudoers.d directory (a task which requires root privileges) or by using DDM to deploy the logstandarduser file as a configuration file for the sudo tool.

Once the sudo configuration is deployed, it should be possible for any local account on the Mac to query the unified system log via using the sudo command line tool to run the log command line tool.