Carbon Black Cloud: How To Check Hostname History for the Last Seven Days (macOS)
search cancel

Carbon Black Cloud: How To Check Hostname History for the Last Seven Days (macOS)

book

Article ID: 291979

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Explain how to search system/kernel logs for changes to hostname on a Mac device/endpoint

Environment

  • Carbon Black Cloud Sensor: All Versions
  • Apple macOS: All Supported Versions

Resolution

  1. Connect to the desired computer
  2. Launch the Terminal
  3. Run the following command to see any changes in the past week 
    log show --style syslog --info --last <TimePeriod m|h|d> | grep 'setting hostname'
  4. Review the output for any changes

Additional Information

  • Device name retrieval on macOS is currently done using 'sysctl kern.hostname'
  • The above command shows events that occurred within the given time relative to the end of the log archive
  • Time may be specified as minutes, hours, or days
  • Time is assumed in seconds unless specified
  • The parameter <TimePeriod> should be entered as follows for the desired time-frames 
    --last <TimePeriod m|h|d>

Last 30 days
--last 30d

Last 7 days
--last 7d

Last 24 hours
--last 24h

Last 60 minutes
--last 60m
  • The Cb Defense sensor does not control or manage a device's hostname and only observes and reports on such changes
  • The Sensor reacts to the change by reporting the most recent device name and exposes the issue as an Administrator reviews Events in the Cb Defense Web Console
  • If you see the wrong hostname displayed for events on one device, run the command above to check for changes and you can verify within DHCP, JAMF, or similar tools used in your environment to manage hostnames
Powered by Wolken Software