kc9wwh / logcollection Goto Github PK
View Code? Open in Web Editor NEWScript to upload client device logs to Jamf Pro
License: MIT License
Script to upload client device logs to Jamf Pro
License: MIT License
I have uploaded the script and amended the required parameters as advised but get a "The request requires user authentication" message when running sudo jamf -policy as per:
I've checked and ensured the permissions on the upload user account in Jamf are correct and even tried giving full permissions. I've double checked the script which has the correct username and password parameters set.
Hi
I followed the instructions on how to setup an encrypted log collection but I get a bad decrypt
error:
Script result: bad decrypt
4334863916:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/evp/evp_enc.c:521:
adding: private/var/log/install.log (deflated 97%)
adding: private/var/log/jamf.log (deflated 90%)
adding: private/var/log/system.log (deflated 93%)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 422 100 422 0 0 1047 0 --:--:-- --:--:-- --:--:-- 1060
mismatched tag at line 10, column 2, byte 404:
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
=^
</body>
</html>
at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
31 1438k 0 0 31 448k 0 389k 0:00:03 0:00:01 0:00:02 390k
87 1438k 0 0 87 1264k 0 607k 0:00:02 0:00:02 --:--:-- 608k
100 1438k 100 422 100 1438k 179 612k 0:00:02 0:00:02 --:--:-- 613k
<html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
What is going on here? I'm testing this on a Monterey machine.
Thanks!
Hello,
Using system_profiler for serial number was causing timeouts and the script was delaying a long time without running successfully.
I think this might be because of Filevault. So not sure if you want to investigate swapping out the variable all together, or maybe use a check to see if filevault is enabled, then declare the variable a different way.
I changed this to mySerial=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}')
The script isn't working still, however the serial number is at least getting populated now.
The script appears to have stopped working when attempting to pull logs from remote Ventura machines, where it still works to pull from Monterey machines. Any chance the script could be re-visited for macOS 13 support?
Hi
Could you please help me with the least Jamf user account permission to be implemented.
Thanks !!!
Script works without encryption
bad decrypt
4636073644:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/System/Volumes/Data/SWE/macOS/BuildRoots/e90674e518/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/crypto/evp/evp_enc.c:521:
Looks like the computer ID in Jamf is not getting populated properly and therefore unable to upload the files to the computer record with Monterey. Possibly xpath related.
With the jamf API changes, this stopped working with basic auth methods. Along with jamf support, I made some tweaks and came up with an updated script that works with the new updated bearer changes required for this to work correctly.
https://github.com/altonbrailovskiy/logCollection/blob/master/BearerAuth.sh
The xpath in the EA code (https://github.com/kc9wwh/logCollection/blob/master/EA-NumAttachments.sh) is wrong/out of date...
line 11
jamfProID=$( curl -k -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/serialnumber/$mySerial/subset/general | xpath "//computer/general/id/text()" )
line 14
numAttachments=$( curl -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/id/$jamfProID -X GET | xmllint -format - | xpath '/computer/purchasing/attachments' | grep "<id>" | wc -l | xargs )
Taking a cue from the mail logCollection.sh code, it needs to filter for macOS 12 or later to set the right xpath... something like...
starting line 10...
osMajor=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}')
osMinor=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $2}')
## Determine Jamf Pro Device ID
if [[ "$osMajor" -ge 11 ]]; then
jamfProID=$( curl -k -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/serialnumber/$mySerial/subset/general | xpath -e "//computer/general/id/text()" )
elif [[ "$osMajor" -eq 10 && "$osMinor" -gt 12 ]]; then
jamfProID=$( curl -k -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/serialnumber/$mySerial/subset/general | xpath "//computer/general/id/text()" )
fi
## API Lookup for how many attachments are attached to this device record
if [[ "$osMajor" -ge 11 ]]; then
numAttachments=$( curl -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/id/$jamfProID -X GET | xmllint -format - | xpath -e '/computer/purchasing/attachments' | grep "<id>" | wc -l | xargs )
elif [[ "$osMajor" -eq 10 && "$osMinor" -gt 12 ]]; then
numAttachments=$( curl -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/id/$jamfProID -X GET | xmllint -format - | xpath '/computer/purchasing/attachments' | grep "<id>" | wc -l | xargs )
fi
## Echo results for EA
echo "<result>$numAttachments</result>"
Can logCollection be used with the new Jamf API Roles feature and if so could the documentation be updated to explain how to use this feature with your awesome tool! Thank you.
Hello. Do you have an example on how to use base64 for encoding the password? I saw the items listed here, but was unsure how to exactly use it. Wasn't sure if I just inputed the encoded password into the EA script or if I needed to add some additional lines of code.
https://github.com/kc9wwh/logCollection/wiki/FAQ's#base64-encodedecode
Thanks,
Ryan
This is my log path
/Library/Logs/MSP\ Anywhere\ Agent\ N-central/MSP_Anywhere_Agent_N-central_2022_06_01.log
Also since the logs have dates I would need a wildcard.
How should I do this for the log path in the script?
Hi team
thanks for your great work creating this script
I got the log file that need to upload to Jamf Pro
/private/var/UserToRemove/user.logarchive
However through your script it looks like the whole folder user.logarchive have been uploaded rather the actual file
The zip file attached to the computer in Jamf Pro but when open it, it is like a user.logarchive folder rather the actual file
Hope it make sense
Hi,
I used the encrypted version of the log collection script and did not get any logs sent to the attachments section of the device in Jamf. I added the logging command provided to find out what the issue was and this is what was displayed via that devices policy logs:
Script result: adding: private/var/log/jamf.log (deflated 91%)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 422 100 422 0 0 413 0 0:00:01 0:00:01 --:--:-- 413
100 422 100 422 0 0 412 0 0:00:01 0:00:01 --:--:-- 412
mismatched tag at line 10, column 2, byte 404:
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
=^
</body>
</html>
at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 30630 0 0 100 30630 0 85798 --:--:-- --:--:-- --:--:-- 85558
100 31052 100 422 100 30630 849 61629 --:--:-- --:--:-- --:--:-- 62353
<html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
Am I missing something?
I am pulling a ,logarchive but everytime I upload it then view it, it's blank. Confirmed it has thousands of lines when viewing it on the local machine
Hi,
My company wish to get the latest logs remotely from all pc but I read the Warning in WiKi. It seems that it's not recommended to do so. What if instead of setting the trigger at recurring check-in, set it to Login. Would it be ok?
WARNING: Do not set this policy as ongoing at recurring check-in or scope to all devices unless you have this configured as a Self Service policy. Doing so will make your Jamf Pro environment come down crying.
After trying multiple log files in different locations I cannot get the script to produce a file in jamf attachments
MacOS Version 13.3
Macbook Pro M1
--Jamf Log--
Script result: adding: Library/Management/super/super.log (deflated 89%)
adding: Library/Management/super/installer.log (deflated 82%)
adding: Library/Management/super/mdmWorkflow.log (deflated 91%)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 684 100 684 0 0 720 0 --:--:-- --:--:-- --:--:-- 734
100 684 100 684 0 0 719 0 --:--:-- --:--:-- --:--:-- 733
syntax error at line 1, column 0, byte 0:
<!doctype html><title>HTTP Status 404 � Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>
Type Status Report
Message Not Found
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 17032 100 684 100 16348 829 19823 --:--:-- --:--:-- --:--:-- 21001
100 17032 100 684 100 16348 828 19792 --:--:-- --:--:-- --:--:-- 20975
<!doctype html><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>
Type Status Report
Message Not Found
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
Hi,
I used the encrypted version of the log collection script and did not get any logs sent to the attachments section of the device in Jamf. I added the logging command provided to find out what the issue was and this is what was displayed via that devices policy logs:
Script result: error reading input file
zip error: Nothing to do! (/private/tmp/...zip)
curl: (3) URL using bad/illegal format or missing URL
no element found at line 1, column 0, byte 0:
I removed the machine name and replaced with ellipses in the above log.
Am I missing something?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.