Jamf Log Stream
Learn about ingesting data from the Jamf Log Stream service
Overview
The Jamf Log Stream is a feature available only to customers of the Jamf Cloud Premium offering. The Jamf Log Stream makes data from the Change Management and Access logs available for consumption via Splunk, Amazon S3, Datadog or an HTTPS endpoint. Additional information regarding the configuration of your endpoint to receive these log files can be found here.
Log Details
To assist third parties with ingesting information provided by Jamf, this article provides sample data, as well as general formatting of data provided in these logs.
Access Log
The Access Log tracks login attempts to Jamf Pro, including the date, username, IP address and entry point. Below you can find a snippet pulled directly from the Access Log to demonstrate the format of the data.
[JSSACCESSLOG] 2021-09-09T08:44:00,679 - username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=Universal API
[JSSACCESSLOG] 2021-09-09T08:44:01,121 - username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=JSS
[JSSACCESSLOG] 2021-09-09T11:56:01,012 - username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=JSS (API)
[JSSACCESSLOG] 2021-09-28T13:51:35,768 - username=sampleUser, status=Failed Login, ipAddress=10.1.1.1, entryPoint=JSS
It is worth noting that an entryPoint
value of "Universal API" corresponds with the Jamf Pro API, a value of "JSS (API)" corresponds with the Classic API and "JSS" refers simply to the Jamf Pro web application user interface. Furthermore, the Jamf Pro user interface leverages the Jamf Pro API for many features, including login workflows, therefore it should be expected to find entries for both entryPoint
when authenticating to the user interface.
Notice
Beginning in Jamf Pro version 10.35.0, individual requests to the Classic API using bearer token authentication no longer log entries to the access log. Requests to obtain the bearer token continue to be logged and identified by the "Universal API" entry point, regardless of which API the token is subsequently used with.
Change Management Log
The Change Management log tracks Create, Read, Update and Delete operations made to the Jamf Pro environment. The data output to this log has a high degree of variability, based on the object type that's being interacted with. Below you can find a snippet that has been modified to demonstrate the standard data format of a log entry.
[CHANGEMANAGEMENT] Date [Log Level] [Thread] [file] - [username (ID: #)] [OPERATION] [Resource] [Date]
Below is a snippet pulled directly from the Change Management log which further demonstrates the data format using actual values. Many log entries include additional information related to the resource that was accessed, which is further demonstrated below.
[CHANGEMANAGEMENT] 2021-08-27T08:03:33,332 [INFO ] [Tomcat-3 ] [file ] - [Jamf Pro System (ID: -1)] [READ] [Device Communication Settings] [2021-08-27T08:03:33.332-0500]
Computers - when the built-in CA is renewed true
Computers - when the MDM profile expires .......... true
Computers - days before the MDM profile expires 180
Devices - when the built-in CA is renewed ......... true
Devices - when the MDM profile expires true
Devices - days before the MDM profile expires ..... 180
[CHANGEMANAGEMENT] 2021-09-09T08:48:43,115 [INFO ] [Tomcat-3 ] [file ] - [jssadmin (ID: 1)] [DELETE] [Computer] [2021-09-09T08:48:43.115-0500]
ID 113
Name ......... Lauras MacBook Pro
[CHANGEMANAGEMENT] 2021-09-28T14:23:31,983 [INFO ] [Tomcat-13 ] [file ] - [jssadmin (ID: 1)] [UPDATE] [User] [2021-09-28T14:23:31.983-0500]
UNKNOWN
[CHANGEMANAGEMENT] 2021-09-28T14:26:37,524 [INFO ] [Tomcat-25 ] [file ] - [jssadmin (ID: 1)] [READ] [Computer] [2021-09-28T14:26:37.524-0500]
ID 3
Name ......... Alishia's MacBook Air
Additional Information
- Changes initiated by Jamf Pro are identified by the "Jamf Pro System" user with an ID value of -1.
- Additional information about the resource may be included below each log entry.
- The format of additional information for a resource is unique to each resource type.
- The format and type of additional information associated with a specific resource type is subject to change without notice.
Sync Frequency
S3 Logs are synchronized every 15 minutes or when the log size reaches 10MB, whichever occurs first. Splunk, HTTPS and Datadog are synchronized every 2 minutes or when the log size reaches 10MB, whichever occurs first.
File Formats
Log files are sent to the specified endpoint in an uncompressed GZIP format.
Updated 14 days ago