How to List Crashes Across All Macs
Using Kolide, you can easily view and query Mac Crashes across your fleet.
Introduction
Occasionally, bugs in first or third-party software can cause macOS or applications running on it to crash. This usually leads to the application suddenly closing, and may result in corrupted data. When this happens, the operating system saves a record of the crash event, including metadata about what was happening at the time of the crash. These crash logs are useful in determining causes and the eventual fixes for bugs in various software.
What Mac Crash Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Mac Crashes from Macs in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Mac Crashes Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| crash_path | Text |
Path to the crashed process |
|
| crashed_at | Timestamp |
Date/Time at which the crash occurred |
|
| crashed_thread | Bigint |
Thread ID which crashed |
|
| exception_codes | Text |
Exception codes from the crash |
|
| exception_notes | Text |
Exception notes from the crash |
|
| exception_type | Text |
Exception type of the crash |
|
| identifier | Text |
Identifier of the crashed process |
|
| parent | Bigint |
Parent PID of the crashed process |
|
| path | Text |
Path to the crashed process |
|
| pid | Bigint |
Process (or thread) ID of the crashed process |
|
| registers | Text |
The value of the system registers |
|
| responsible | Text |
Process responsible for the crashed process |
|
| stack_trace | Text |
Most recent frame from the stack trace |
|
| type | Text |
Type of crash log |
|
| uid | Bigint |
User ID of the crashed process |
|
| version | Text |
Version info of the crashed process |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
WITH
crashes_agg AS (
SELECT
device_name,
device_id,
COUNT(*) FILTER (
WHERE crashed_at > (NOW() - interval '28 days')) AS crashes_last_four_weeks,
COUNT(*) FILTER (
WHERE crashed_at > (NOW() - interval '7 days')) AS crashes_0_7,
COUNT(*) FILTER (
WHERE crashed_at < (NOW() - interval '7 days')
AND crashed_at > (NOW() - interval '14 days')) AS crashes_7_14,
COUNT(*) FILTER (
WHERE crashed_at < (NOW() - interval '14 days')
AND crashed_at > (NOW() - interval '21 days')) AS crashes_14_21,
COUNT(*) FILTER (
WHERE crashed_at < (NOW() - interval '21 days')
AND crashed_at > (NOW() - interval '28 days')) AS crashes_21_28
FROM mac_crashes
GROUP BY device_id, device_name
),
-- Identify the apps contributing most crashes in the past 4 weeks
problem_apps AS (
SELECT
device_id,
COUNT(*) AS crash_freq,
identifier
FROM mac_crashes
WHERE crashed_at > (NOW() - interval '28 days')
GROUP BY identifier, device_id
),
-- Reduce the problem apps to worst offender of last 28 days
problem_apps_agg AS (
SELECT
MAX(crash_freq) AS most_frequent_crashes_app_count,
MAX(identifier) AS most_frequent_crashes_app,
device_id
FROM problem_apps
GROUP BY device_id
)
-- Merge data together
SELECT ca.*,
most_frequent_crashes_app_count,
most_frequent_crashes_app
FROM crashes_agg ca
JOIN problem_apps_agg USING(device_id)
WHERE crashes_last_four_weeks > 10
ORDER BY crashes_last_four_weeks DESC| device_name | crashes_0_7 | crashes_7_14 | crashes_14_21 | crashes_21_28 | crashes_last_four_weeks | most_frequent_crashes_app | most_frequent_crashes_app_count |
|---|---|---|---|---|---|---|---|
| Ashleys-MacBook-Pro | 27 | 60 | 76 | 44 | 207 | ExternalQuickLookSatellite-x86_64 | 182 |
| Daves-iMac | 64 | 75 | 38 | 0 | 177 | Fortnite | 168 |
| kangaroo | 23 | 34 | 26 | 33 | 116 | ZscalerTunnel | 91 |
| conference-room-zoom | 16 | 24 | 33 | 7 | 80 | CVMServer | 80 |
| bamboo | 21 | 18 | 21 | 18 | 78 | ZscalerTunnel | 74 |
Why Should I Collect Mac Crashes?
Collecting information about crashes on a device is an important troubleshooting tool for IT administrators who are attempting to diagnose system stability issues. The presence or abundance of crash logs may indicate:
- Failing hardware which requires service/replacement
- Corrupt or faulty software which necessitates uninstallation
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
Crash logs will record a 'trace' of the event which caused or preceded the crash. As a result, information about the software (time and associated process) you utilize may be collected in the event of a crash, if for example a 3rd party application (eg. Epic Games - Fortnite) was the software that crashed.
When you use Kolide to list Mac Crash data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
