macOS unified logging system

[mikermcneil]

Goal

As a user of Fleet and osquery, I want to access data from the macOS unified logging system, so that I can troubleshoot errors due to Apple bugs.

For example:

If a software update fails due to this issue, the mdmclient process logs the following error: BootPolicy: bootpolicy_mdm_update_dep_mode: exit: OIK/OIC mismatch

https://support.apple.com/HT212745

How?

• [ ] Which table(s) in https://osquery.io/schema/5.0.1/ can I use to do this?
• [ ] See existing osquery extension which adds a table for this: https://github.com/macadmins/osquery-extension/blob/af4a5475f0fa9172fcfb86affb0a1bd853498fa7/tables/unifiedlog/unified_log.go
• [ ] Bundle natively as part of fleetctl package? Or help get it into osquery core.
  • See also https://osquery.slack.com/archives/C08VA8R6F/p1629080707015800?thread_ts=1622825216.033000&cid=C08VA8R6F (Courtesy @puffycid and @arubdesu)

[mikermcneil]

This was a request from a community member that I excitedly tagged incorrectly.