View Other Properties

Contents

View Other Properties

How to List Crashes Across All Macs

Using Kolide, you can easily view and query Mac Crashes across your fleet.

Introduction

Occasionally, bugs in first or third-party software can cause macOS or applications running on it to crash. This usually leads to the application suddenly closing, and may result in corrupted data. When this happens, the operating system saves a record of the crash event, including metadata about what was happening at the time of the crash. These crash logs are useful in determining causes and the eventual fixes for bugs in various software.

What Mac Crash Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Mac Crashes from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Mac Crashes Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

crash_path Text

Path to the crashed process

crashed_at Timestamp

Date/Time at which the crash occurred

crashed_thread Bigint

Thread ID which crashed

exception_codes Text

Exception codes from the crash

exception_notes Text

Exception notes from the crash

exception_type Text

Exception type of the crash

identifier Text

Identifier of the crashed process

parent Bigint

Parent PID of the crashed process

path Text

Path to the crashed process

pid Bigint

Process (or thread) ID of the crashed process

registers Text

The value of the system registers

responsible Text

Process responsible for the crashed process

stack_trace Text

Most recent frame from the stack trace

type Text

Type of crash log

uid Bigint

User ID of the crashed process

version Text

Version info of the crashed process

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find Macs with many crashes and identify most frequent associated crashing process
Kolide SQL
WITH 
crashes_agg AS (
  SELECT 
    device_name, 
    device_id,
    COUNT(*) FILTER (
      WHERE crashed_at > (NOW() - interval '28 days')) AS crashes_last_four_weeks,
    COUNT(*) FILTER (
      WHERE crashed_at > (NOW() - interval '7 days')) AS crashes_0_7,
    COUNT(*) FILTER (
      WHERE crashed_at < (NOW() - interval '7 days') 
        AND crashed_at > (NOW() - interval '14 days')) AS crashes_7_14,
    COUNT(*) FILTER (
      WHERE crashed_at < (NOW() - interval '14 days') 
        AND crashed_at > (NOW() - interval '21 days')) AS crashes_14_21,
    COUNT(*) FILTER (
      WHERE crashed_at < (NOW() - interval '21 days') 
        AND crashed_at > (NOW() - interval '28 days')) AS crashes_21_28
  FROM mac_crashes
  GROUP BY device_id, device_name
),
-- Identify the apps contributing most crashes in the past 4 weeks
problem_apps AS (
  SELECT 
    device_id, 
    COUNT(*) AS crash_freq, 
    identifier 
  FROM mac_crashes 
  WHERE crashed_at > (NOW() - interval '28 days') 
  GROUP BY identifier, device_id
),
-- Reduce the problem apps to worst offender of last 28 days
problem_apps_agg AS (
  SELECT 
    MAX(crash_freq) AS most_frequent_crashes_app_count, 
    MAX(identifier) AS most_frequent_crashes_app, 
    device_id 
  FROM problem_apps 
  GROUP BY device_id
)
-- Merge data together
SELECT ca.*,
  most_frequent_crashes_app_count, 
  most_frequent_crashes_app
FROM crashes_agg ca
JOIN problem_apps_agg USING(device_id)
WHERE crashes_last_four_weeks > 10
ORDER BY crashes_last_four_weeks DESC
Example Results
device_name crashes_0_7 crashes_7_14 crashes_14_21 crashes_21_28 crashes_last_four_weeks most_frequent_crashes_app most_frequent_crashes_app_count
Ashleys-MacBook-Pro 27 60 76 44 207 ExternalQuickLookSatellite-x86_64 182
Daves-iMac 64 75 38 0 177 Fortnite 168
kangaroo 23 34 26 33 116 ZscalerTunnel 91
conference-room-zoom 16 24 33 7 80 CVMServer 80
bamboo 21 18 21 18 78 ZscalerTunnel 74

Why Should I Collect Mac Crashes?

Collecting information about crashes on a device is an important troubleshooting tool for IT administrators who are attempting to diagnose system stability issues. The presence or abundance of crash logs may indicate:

  • Failing hardware which requires service/replacement
  • Corrupt or faulty software which necessitates uninstallation

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Crash logs will record a 'trace' of the event which caused or preceded the crash. As a result, information about the software (time and associated process) you utilize may be collected in the event of a crash, if for example a 3rd party application (eg. Epic Games - Fortnite) was the software that crashed.

When you use Kolide to list Mac Crash data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
BIOS Platforms
hardware, operating-system
New
Mac SIP Settings
security, integrity, boot-security, operating-system, hardware
New
Mac System Extensions
operating-system, kernel, extensions, stability
View full list of Kolide's Device Properties
Book A Demo
Book A Demo