Successful Login to OSX

The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine:

*NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed!

Share This:


  1. Bauttt

    Error in ‘rex’ command: Encountered the following error while compiling the regex ‘authinternal\sauthenticated\suser\s(?\S+)’: Regex: unrecognized character after (? or (?-

Leave A Comment?