estrace(1) General Commands Manual estrace(1)

estracelog Endpoint Security events for a specific executable

estrace [--event-types [...]] [--oslog] [-o/--output file] [--format format] [--oslog-subsystem subsystem] [--oslog-category category] command args

estrace --list-events

estrace interfaces with Endpoint Security to log events to standard error or to the unified logging system.

Unlike eslogger, estrace can be run as non-superuser.

stderr of the underlying program is ignored by default. Use -o/--output to allow stderr output if needed.

estrace is not intended to be used by applications. It is not meant provide the same functionality, performance and schema stability as natively interfacing with the Endpoint Security API does. It cannot provide the integrity protection granted to System Extensions. Applications should continue to interface with EndpointSecurity(7) natively.

: estrace is NOT API in any sense. Do NOT rely on the structure or information emitted for reason. It may change from release to release without warning.

--event-types events
Event types to watch. Listens for all events by default. Run estrace --list-events to see all available events.
--format format
Log format to use. Default, and the only format currently supported, is json. See FORMATS below.
-o/--output file
Output file to output logs to. Without this option, stderr of the underlying program is suppressed. Pass --output - in order to output to stdout.
--list-events
List supported events on standard output and exit.
--oslog
Emit event data to the unified logging system instead of to standard output. See log(1) on configuring and using the unified logging system. The default subsystem and category are configured for oversize messages, resulting in a message size limit of 32k. Larger messages will be truncated.
--oslog-subsystem subsystem
Log subsystem to use with --oslog. Default is com.apple.eslogger. Changing the subsystem will make the default log profile ineffective, resulting in a message size limit of 1k. Configuring subsystem for oversize messages is recommended when using --oslog-subsystem.
--oslog-category category
Log category to use with --oslog. Default is events. Changing the subsystem will make the default log profile ineffective, resulting in a message size limit of 1k. Configuring category for oversize messages is recommended when using --oslog-category. estrace uses the main category for operational logging, such as fatal errors.

Events are specified by their short name, such as exec or exit. Use --list-events to list the currently supported events by their short name. estrace supports all notify events that EndpointSecurity supports. By design, estrace does not support any auth events.

Some fields available in native Endpoint Security API clients are not available in estrace. Currently, the only such field is es_token_t state part of es_thread_state_t, which is used only in remote_thread_create events.

The only supported format for event data is json, which is either JSON Lines, when writing to standard error, or JSON, when writing to the unified logging system. While no formal schema is provided, the data is modelled after es_message_t as provided by EndpointSecurity(7). Semantics, field names and optionality corresponds to the C counterparts as documented in the libEndpointSecurity(3) header documentation in the SDK. A schema_version is provided with every event. No schema stability guarantees are being made across schema_version changes. New events may be added without bumping schema_version. schema_version is specific to the JSON representation of events. schema_version is distinct from the version field, which denotes the message version as emitted by EndpointSecurity(7).

Subscribe to process lifecycle events.

% estrace --event-types exec,fork,exit /bin/ls

Subscribe to screensharing events and write event data to the unified logging system with the default subsystem and category:

% estrace --oslog --event-types screensharing_attach,screensharing_detach /bin/ls

List available events:

% estrace --list-events

Postprocess the output in a shell pipeline with jq:

% estrace -e exec /bin/ls 2>&1 >/dev/null | jq -r 'select(.process.executable.path == "/bin/zsh")|"\(.process.audit_token.pid): \(.process.executable.path) -> \(.event.exec.target.executable.path)"'

eslogger(1), log(1), mdmclient(1), libEndpointSecurity(3), EndpointSecurity(7).

4 May, 2026 Darwin