I have uploaded the script and amended the required parameters as advised but get a "The request requires user authentication" message when running sudo jamf -policy as per:

I've checked and ensured the permissions on the upload user account in Jamf are correct and even tried giving full permissions. I've double checked the script which has the correct username and password parameters set.

Hi

I followed the instructions on how to setup an encrypted log collection but I get a bad decrypt error:

Script result: bad decrypt
4334863916:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/AppleInternal/Library/BuildRoots/a0876c02-1788-11ed-b9c4-96898e02b808/Library/Caches/com.apple.xbs/Sources/libressl/libressl-2.8/crypto/evp/evp_enc.c:521:
  adding: private/var/log/install.log (deflated 97%)
  adding: private/var/log/jamf.log (deflated 90%)
  adding: private/var/log/system.log (deflated 93%)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   422  100   422    0     0   1047      0 --:--:-- --:--:-- --:--:--  1060

mismatched tag at line 10, column 2, byte 404:
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
=^
</body>
</html>
 at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 31 1438k    0     0   31  448k      0   389k  0:00:03  0:00:01  0:00:02  390k
 87 1438k    0     0   87 1264k      0   607k  0:00:02  0:00:02 --:--:--  608k
100 1438k  100   422  100 1438k    179   612k  0:00:02  0:00:02 --:--:--  613k
<html>
<head>
	<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>

What is going on here? I'm testing this on a Monterey machine.

Thanks!

Hello,
Using system_profiler for serial number was causing timeouts and the script was delaying a long time without running successfully.
I think this might be because of Filevault. So not sure if you want to investigate swapping out the variable all together, or maybe use a check to see if filevault is enabled, then declare the variable a different way.
I changed this to mySerial=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F" '/IOPlatformSerialNumber/{print $(NF-1)}')

The script isn't working still, however the serial number is at least getting populated now.

The script appears to have stopped working when attempting to pull logs from remote Ventura machines, where it still works to pull from Monterey machines. Any chance the script could be re-visited for macOS 13 support?

Hi

Could you please help me with the least Jamf user account permission to be implemented.

Thanks !!!

Script works without encryption

bad decrypt
4636073644:error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt:/System/Volumes/Data/SWE/macOS/BuildRoots/e90674e518/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/crypto/evp/evp_enc.c:521:

Looks like the computer ID in Jamf is not getting populated properly and therefore unable to upload the files to the computer record with Monterey. Possibly xpath related.

With the jamf API changes, this stopped working with basic auth methods. Along with jamf support, I made some tweaks and came up with an updated script that works with the new updated bearer changes required for this to work correctly.

https://github.com/altonbrailovskiy/logCollection/blob/master/BearerAuth.sh

BearerAuth.txt

The xpath in the EA code (https://github.com/kc9wwh/logCollection/blob/master/EA-NumAttachments.sh) is wrong/out of date...

line 11
jamfProID=$( curl -k -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/serialnumber/$mySerial/subset/general | xpath "//computer/general/id/text()" )

line 14
numAttachments=$( curl -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/id/$jamfProID -X GET | xmllint -format - | xpath '/computer/purchasing/attachments' | grep "<id>" | wc -l | xargs )

Taking a cue from the mail logCollection.sh code, it needs to filter for macOS 12 or later to set the right xpath... something like...

starting line 10...

osMajor=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}')
osMinor=$(/usr/bin/sw_vers -productVersion | awk -F . '{print $2}')

## Determine Jamf Pro Device ID
if [[ "$osMajor" -ge 11 ]]; then
jamfProID=$( curl -k -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/serialnumber/$mySerial/subset/general | xpath -e "//computer/general/id/text()" )
elif [[ "$osMajor" -eq 10 && "$osMinor" -gt 12 ]]; then
jamfProID=$( curl -k -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/serialnumber/$mySerial/subset/general | xpath  "//computer/general/id/text()" )
fi

## API Lookup for how many attachments are attached to this device record
if [[ "$osMajor" -ge 11 ]]; then
numAttachments=$( curl -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/id/$jamfProID -X GET | xmllint -format - | xpath -e '/computer/purchasing/attachments' | grep "<id>" | wc -l | xargs )
elif [[ "$osMajor" -eq 10 && "$osMinor" -gt 12 ]]; then
numAttachments=$( curl -u $jamfProUser:$jamfProPass $jamfProURL/JSSResource/computers/id/$jamfProID -X GET | xmllint -format - | xpath '/computer/purchasing/attachments' | grep "<id>" | wc -l | xargs )
fi
## Echo results for EA
echo "<result>$numAttachments</result>"

Can logCollection be used with the new Jamf API Roles feature and if so could the documentation be updated to explain how to use this feature with your awesome tool! Thank you.

Hello. Do you have an example on how to use base64 for encoding the password? I saw the items listed here, but was unsure how to exactly use it. Wasn't sure if I just inputed the encoded password into the EA script or if I needed to add some additional lines of code.
https://github.com/kc9wwh/logCollection/wiki/FAQ's#base64-encodedecode

Thanks,
Ryan

This is my log path
/Library/Logs/MSP\ Anywhere\ Agent\ N-central/MSP_Anywhere_Agent_N-central_2022_06_01.log

Also since the logs have dates I would need a wildcard.
How should I do this for the log path in the script?

Hi team

thanks for your great work creating this script

I got the log file that need to upload to Jamf Pro

/private/var/UserToRemove/user.logarchive

However through your script it looks like the whole folder user.logarchive have been uploaded rather the actual file

The zip file attached to the computer in Jamf Pro but when open it, it is like a user.logarchive folder rather the actual file

Hope it make sense

Below I can see the zip file uploaded

But when open it, it is like a folder rather actual file

Hi,

I used the encrypted version of the log collection script and did not get any logs sent to the attachments section of the device in Jamf. I added the logging command provided to find out what the issue was and this is what was displayed via that devices policy logs:

Script result:   adding: private/var/log/jamf.log (deflated 91%)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   422  100   422    0     0    413      0  0:00:01  0:00:01 --:--:--   413
100   422  100   422    0     0    412      0  0:00:01  0:00:01 --:--:--   412

mismatched tag at line 10, column 2, byte 404:
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
=^
</body>
</html>
 at /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level/XML/Parser.pm line 187.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 30630    0     0  100 30630      0  85798 --:--:-- --:--:-- --:--:-- 85558
100 31052  100   422  100 30630    849  61629 --:--:-- --:--:-- --:--:-- 62353
<html>
<head>
	<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>

Am I missing something?

I am pulling a ,logarchive but everytime I upload it then view it, it's blank. Confirmed it has thousands of lines when viewing it on the local machine

Hi,

My company wish to get the latest logs remotely from all pc but I read the Warning in WiKi. It seems that it's not recommended to do so. What if instead of setting the trigger at recurring check-in, set it to Login. Would it be ok?

WARNING: Do not set this policy as ongoing at recurring check-in or scope to all devices unless you have this configured as a Self Service policy. Doing so will make your Jamf Pro environment come down crying.

After trying multiple log files in different locations I cannot get the script to produce a file in jamf attachments
MacOS Version 13.3
Macbook Pro M1

--Jamf Log--

Script result: adding: Library/Management/super/super.log (deflated 89%)
adding: Library/Management/super/installer.log (deflated 82%)
adding: Library/Management/super/mdmWorkflow.log (deflated 91%)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 684 100 684 0 0 720 0 --:--:-- --:--:-- --:--:-- 734
100 684 100 684 0 0 719 0 --:--:-- --:--:-- --:--:-- 733

syntax error at line 1, column 0, byte 0:
<!doctype html><title>HTTP Status 404 � Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>

HTTP Status 404 � Not Found

Type Status Report

Message Not Found

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 17032 100 684 100 16348 829 19823 --:--:-- --:--:-- --:--:-- 21001
100 17032 100 684 100 16348 828 19792 --:--:-- --:--:-- --:--:-- 20975
<!doctype html><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style>

HTTP Status 404 – Not Found

Type Status Report

Message Not Found

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

Hi,

I used the encrypted version of the log collection script and did not get any logs sent to the attachments section of the device in Jamf. I added the logging command provided to find out what the issue was and this is what was displayed via that devices policy logs:

Script result: error reading input file

zip error: Nothing to do! (/private/tmp/...zip)
curl: (3) URL using bad/illegal format or missing URL

no element found at line 1, column 0, byte 0:

I removed the machine name and replaced with ellipses in the above log.
Am I missing something?

I am getting the error "Script result: error reading input file

zip error: Nothing to do! (/private/tmp/GLXC02CF04LMD6R-will.daniel-2020-07-29-11-33-01.zip)
curl: (3) URL using bad/illegal format or missing URL

no element found at line 1, column 0, byte 0:"

The URL is set correctly though.