Gather logs with a Munki NoPkg


Troubleshooting with remote users can often be a challenge.

This is especially true when you need to see logs stored in hidden folders that users can’t easily find.

To make this process easier for both IT and our staff we added a Self-Service item to Managed Software Center to easily gather everything we need.

Read on for the details…

The Script

The script is an iteration of the one I previously shared in AWS VPN diagnostics with a Munki NoPkg.

It simply compiles common log files into a single folder, compress them into an archive and moves it onto the user’s desktop. This way they can easily share it with support.

Currently it gathers the following log folders:

  • /Library/Managed Installs/Logs/ (Munki)
  • /private/var/log/
  • /private/var/logs/
  • /Library/Logs/
  • /Users/”$currentUser”/Library/Logs/
  • /Users/”$currentUser”/.config/AWSVPNClient/logs/ (If it exists.)

Expand the source below to read it. Alternatively the script is also available on GitHub if you’d prefer to read it there.


## Gather Logs
## Version 1.1, June 16, 2023
## By Kevin M. Cox

## This script gathers macOS and application logs then creates a tarball so users can attach the results to IT tickets for evaluation.

# Get the current date and time
dateShort=$(/bin/date '+%F_%H.%M')

# Define the output folder

# Get the username of the current user
currentUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ { print $3 }')"

# Make the output folder to gather the results
/bin/mkdir "$outputFolder"

# Munki logs
/bin/mkdir "$outputFolder"/Managed-Software-Center/
/bin/cp -pr /Library/Managed\ Installs/Logs/ "$outputFolder"/Managed-Software-Center/

# System logs
/bin/mkdir "$outputFolder"/private-var-log/
/bin/mkdir "$outputFolder"/private-var-logs/
/bin/cp -pr /private/var/log/ "$outputFolder"/private-var-log/
/bin/cp -pr /private/var/logs/ "$outputFolder"/private-var-logs/

# Library logs
/bin/mkdir "$outputFolder"/Library-Logs/
/bin/cp -pr /Library/Logs/ "$outputFolder"/Library-Logs/

# User logs
/bin/mkdir "$outputFolder"/User-Library-Logs/
/bin/cp -pr /Users/"$currentUser"/Library/Logs/ "$outputFolder"/User-Library-Logs/

# CrowdStrike Falcon stats
if	[ -x $falconctl ]; then
	/bin/mkdir "$outputFolder"/CrowdStrike-Falcon/
	$falconctl stats > "$outputFolder"/CrowdStrike-Falcon/stats.log

# AWS VPN logs
if	[ -d /Users/"$currentUser"/.config/AWSVPNClient/logs/ ]; then
	/bin/mkdir "$outputFolder"/AWS-VPN/
	/bin/cp -pr /Users/"$currentUser"/.config/AWSVPNClient/logs/ "$outputFolder"/AWS-VPN/

# Create a compressed tar archive of the files
cd /Users/Shared/ || (echo "Changing directories failed, unable to tar logs" && exit 1)
/usr/bin/tar -czf macOS_Logs_"$dateShort".tgz "macOS_Logs_$dateShort"

# Change the ownership on the archive
/usr/sbin/chown "$currentUser":wheel macOS_Logs_"$dateShort".tgz

# Move it to the desktop
/bin/mv macOS_Logs_"$dateShort".tgz /Users/"$currentUser"/Desktop/macOS_Logs_"$dateShort".tgz

# Delete the output folder
/bin/rm -rf "$outputFolder"

The NoPkg

The NoPkg is an OnDemand type that only runs right after the user “Installs” it. It should be set as an optional_install in Munki manifests.

I have an example NoPkg available on GitHub which is ready to use and can be dropped right into your Munki repo with no changes.

Let me know if there are any folders you think I’m missing that would be helpful to include.

Leave a Reply

Your email address will not be published. Required fields are marked *