| estrace(1) | General Commands Manual | estrace(1) |
estrace — log
Endpoint Security events for a specific executable
estrace |
[--event-types [...]] [--oslog] [-o/--output file] [--format format] [--oslog-subsystem subsystem] [--oslog-category category] command args |
estrace |
--list-events |
estrace interfaces with Endpoint
Security to log events to standard error or to the unified logging
system.
Unlike eslogger, estrace can be run
as non-superuser.
stderr of the underlying program is ignored by default. Use -o/--output to allow stderr output if needed.
estrace is not intended to be used by
applications. It is not meant provide the same functionality, performance
and schema stability as natively interfacing with the Endpoint
Security API does. It cannot provide the integrity protection granted to
System Extensions. Applications should continue to interface with
EndpointSecurity(7) natively.
IMPORTANT:
estrace is NOT API in any sense.
Do NOT rely on the structure or information emitted for
ANY reason.
It may change from release to release without warning.
estrace --list-events to see all available
events.estrace uses the main category for
operational logging, such as fatal errors.Events are specified by their short name, such as exec or
exit. Use --list-events to list the currently supported events
by their short name. estrace supports all notify
events that EndpointSecurity supports. By design,
estrace does not support any auth events.
Some fields available in native Endpoint Security API
clients are not available in estrace. Currently, the
only such field is es_token_t state part of es_thread_state_t,
which is used only in remote_thread_create events.
The only supported format for event data is json, which is either JSON Lines, when writing to standard error, or JSON, when writing to the unified logging system. While no formal schema is provided, the data is modelled after es_message_t as provided by EndpointSecurity(7). Semantics, field names and optionality corresponds to the C counterparts as documented in the libEndpointSecurity(3) header documentation in the SDK. A schema_version is provided with every event. No schema stability guarantees are being made across schema_version changes. New events may be added without bumping schema_version. schema_version is specific to the JSON representation of events. schema_version is distinct from the version field, which denotes the message version as emitted by EndpointSecurity(7).
Subscribe to process lifecycle events.
% estrace --event-types
exec,fork,exit /bin/lsSubscribe to screensharing events and write event data to the unified logging system with the default subsystem and category:
% estrace --oslog --event-types
screensharing_attach,screensharing_detach /bin/lsList available events:
% estrace --list-eventsPostprocess the output in a shell pipeline with jq:
% estrace -e exec /bin/ls 2>&1
>/dev/null | jq -r 'select(.process.executable.path ==
"/bin/zsh")|"\(.process.audit_token.pid):
\(.process.executable.path) ->
\(.event.exec.target.executable.path)"'eslogger(1), log(1), mdmclient(1), libEndpointSecurity(3), EndpointSecurity(7).
| 4 May, 2026 | Darwin |