132 lines
5.7 KiB
R
132 lines
5.7 KiB
R
#compdef eslogger
|
|
|
|
_eslogger() {
|
|
local -a commands
|
|
local context state line
|
|
|
|
_arguments -C \
|
|
'--format[Log format to use]:format:(json)' \
|
|
'--oslog[Emit event data to oslog instead of stdout]' \
|
|
'--oslog-subsystem[Log subsystem to use with --oslog]:subsystem:' \
|
|
'--oslog-category[Log category to use with --oslog]:category:' \
|
|
'--list-events[List supported events and exit]' \
|
|
'--select[Select events from a specific program path prefix]:path:_files' \
|
|
'(-h --help)'{-h,--help}'[Show help information]' \
|
|
'*:event-types:_eslogger_event_types'
|
|
}
|
|
|
|
# Event types from `eslogger --list-events`
|
|
_eslogger_event_types() {
|
|
local -a event_types
|
|
event_types=(
|
|
'access:File access events'
|
|
'authentication:Authentication events'
|
|
'authorization_judgement:Authorization judgement events'
|
|
'authorization_petition:Authorization petition events'
|
|
'btm_launch_item_add:Background Task Management launch item add'
|
|
'btm_launch_item_remove:Background Task Management launch item remove'
|
|
'chdir:Directory change events'
|
|
'chroot:Change root events'
|
|
'clone:File clone events'
|
|
'close:File close events'
|
|
'copyfile:File copy events'
|
|
'create:File/directory creation events'
|
|
'cs_invalidated:Code signing invalidation events'
|
|
'deleteextattr:Extended attribute deletion events'
|
|
'dup:File descriptor duplication events'
|
|
'exchangedata:File data exchange events'
|
|
'exec:Process execution events'
|
|
'exit:Process exit events'
|
|
'fcntl:File control events'
|
|
'file_provider_materialize:File Provider materialization events'
|
|
'file_provider_update:File Provider update events'
|
|
'fork:Process fork events'
|
|
'fsgetpath:File system get path events'
|
|
'get_task:Get task events'
|
|
'get_task_inspect:Get task inspect events'
|
|
'get_task_name:Get task name events'
|
|
'get_task_read:Get task read events'
|
|
'getattrlist:Get attribute list events'
|
|
'getextattr:Get extended attribute events'
|
|
'gatekeeper_user_override:Gatekeeper override events'
|
|
'iokit_open:IOKit open events'
|
|
'kextload:Kernel extension load events'
|
|
'kextunload:Kernel extension unload events'
|
|
'link:File link events'
|
|
'listextattr:List extended attribute events'
|
|
'login_login:Login events'
|
|
'login_logout:Logout events'
|
|
'lookup:File lookup events'
|
|
'lw_session_lock:LoginWindow session lock events'
|
|
'lw_session_login:LoginWindow session login events'
|
|
'lw_session_logout:LoginWindow session logout events'
|
|
'lw_session_unlock:LoginWindow session unlock events'
|
|
'mmap:Memory map events'
|
|
'mount:File system mount events'
|
|
'mprotect:Memory protection events'
|
|
'od_attribute_set:OpenDirectory attribute set events'
|
|
'od_attribute_value_add:OpenDirectory attribute value add events'
|
|
'od_attribute_value_remove:OpenDirectory attribute value remove events'
|
|
'od_create_group:OpenDirectory create group events'
|
|
'od_create_user:OpenDirectory create user events'
|
|
'od_delete_group:OpenDirectory delete group events'
|
|
'od_delete_user:OpenDirectory delete user events'
|
|
'od_disable_user:OpenDirectory disable user events'
|
|
'od_enable_user:OpenDirectory enable user events'
|
|
'od_group_add:OpenDirectory group add events'
|
|
'od_group_remove:OpenDirectory group remove events'
|
|
'od_group_set:OpenDirectory group set events'
|
|
'od_modify_password:OpenDirectory password modification events'
|
|
'open:File open events'
|
|
'openssh_login:OpenSSH login events'
|
|
'openssh_logout:OpenSSH logout events'
|
|
'proc_check:Process check events'
|
|
'proc_suspend_resume:Process suspend/resume events'
|
|
'profile_add:Profile add events'
|
|
'profile_remove:Profile remove events'
|
|
'pty_close:Pseudo-terminal close events'
|
|
'pty_grant:Pseudo-terminal grant events'
|
|
'readdir:Directory read events'
|
|
'readlink:Symbolic link read events'
|
|
'remote_thread_create:Remote thread creation events'
|
|
'remount:File system remount events'
|
|
'rename:File/directory rename events'
|
|
'screensharing_attach:Screen sharing attach events'
|
|
'screensharing_detach:Screen sharing detach events'
|
|
'searchfs:File system search events'
|
|
'setacl:Set access control list events'
|
|
'setattrlist:Set attribute list events'
|
|
'setegid:Set effective group ID events'
|
|
'seteuid:Set effective user ID events'
|
|
'setextattr:Set extended attribute events'
|
|
'setflags:Set file flags events'
|
|
'setgid:Set group ID events'
|
|
'setmode:Set file mode events'
|
|
'setowner:Set file owner events'
|
|
'setregid:Set real and effective group ID events'
|
|
'setreuid:Set real and effective user ID events'
|
|
'settime:Set system time events'
|
|
'setuid:Set user ID events'
|
|
'signal:Signal events'
|
|
'stat:File stat events'
|
|
'su:su invocation events'
|
|
'sudo:sudo invocation events'
|
|
'tcc_modify:TCC database modification events'
|
|
'trace:Tracing events'
|
|
'truncate:File truncate events'
|
|
'uipc_bind:Unix domain socket bind events'
|
|
'uipc_connect:Unix domain socket connect events'
|
|
'unlink:File unlink events'
|
|
'unmount:File system unmount events'
|
|
'utimes:File time update events'
|
|
'write:File write events'
|
|
'xp_malware_detected:XProtect malware detected events'
|
|
'xp_malware_remediated:XProtect malware remediated events'
|
|
'xpc_connect:XPC connection events'
|
|
)
|
|
|
|
_describe 'event types' event_types
|
|
}
|
|
|
|
_eslogger "$@"
|