Get Started

esev icon

Installation

Collecting Events

Opening Events

eslogger Error



Installation

There are two options for installing ESEV:

  1. Direct Download
  2. App Store (coming soon)

If you install with the App Store, once installed you can open ESEV.

If using direct download you have a couple more steps but not many.

  1. If your downloads folder contains ESEV.app go to the next step. If it instead contains ESEV.zip then select or double-click the file and it will unpack to ESEV.app
  2. Move the ESEV.app from the downloads folder into the /Applications folder
  3. Double-click ESEV.app to run

start


Event Collection

ESEV analyzes events captured by eslogger which comes pre-installed on macOS Ventura systems.

Coming soon - sample event file downloads

Existing events file

Running eslogger:

  1. Open Terminal.app
  2. (optional) cd Desktop
  3. (optional) eslogger --list-events to show a list of possible event types to capture
  4. Execute eslogger - sudo eslogger fork exec exit > eslogger.processes.json
    • “fork exec exit” is just an example set of events to capture. You can select as many or as few from the list of events in eslogger --list-events as you like.
    • This step may give permissions error about “TCC Full Disk Access” see below for resolution.
  5. Do activities (ex. execute programs, surf web, …)
  6. When you’ve captured all the events desired press CTRL + C to stop the capture
    • if desired you can capture while analyzing by leaving eslogger running and using ESEV “Tail” instead of “Open”.

eslogger success


Open events in ESEV

Open the events file using File -> Open menu or ⌘ + O. Then navigate to where you created the eslogger file or downloaded it from elsewhere. In above example it’d be at ~/Desktop/eslogger.processes.json. Opening with ⌘ + T (tail) instead of ⌘ + O will allow pulling events from the file at the same time that eslogger is writing them.

Now watch the events roll in. If your sample capture has lots of events the left column event types have counters that help you track progress.

loading

It’s fully loaded when the spinner stops and the programs section populates in the top right. If opened with ⌘ + T (tail) the spinner will continue until you stop it using File -> Stop, but events will display in the UI as they’re read from the file continuously.

spinner

For details on supported methods to slice and dice events please see ESEV Release


eslogger TCC Permission Error

eslogger permission

eslogger requires the "parent process", in this example `Terminal.app` to have "Full Disk Access" permissions.

To fix open System Settings: Settings -> Privacy & Security select Full Disk Access:

full disk access

Then enable the permissions for Terminal.app by toggling the slider to blue:

terminal access

Note this will require a restart of the Terminal.app to take effect.

restart warning