{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 14:43:34 2022 UTC","unixTime":1646405014,"epoch":0,"counter":105,"numerics":false,"columns":{"cdhash":"dfb3bcaaeab0ad9b988769eceb3d18c786b89080","child_pid":"","cmdline":"openssl ","cmdline_count":"1","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/openssl OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"4550","original_parent":"969","parent":"969","path":"/usr/bin/openssl","pid":"1692","platform_binary":"1","seq_num":"2053","signing_id":"com.apple.openssl","team_id":"","time":"1646404719","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 14:43:34 2022 UTC","unixTime":1646405014,"epoch":0,"counter":105,"numerics":false,"columns":{"cdhash":"473f9692254b7131ac103b49e7df198662dde642","child_pid":"","cmdline":"curl ","cmdline_count":"1","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/curl OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"4547","original_parent":"969","parent":"969","path":"/usr/bin/curl","pid":"1691","platform_binary":"1","seq_num":"2052","signing_id":"com.apple.curl","team_id":"","time":"1646404710","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 14:43:34 2022 UTC","unixTime":1646405014,"epoch":0,"counter":105,"numerics":false,"columns":{"cdhash":"","child_pid":"","cmdline":"wget ","cmdline_count":"1","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/local/bin/wget OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"4524","original_parent":"969","parent":"969","path":"/usr/local/Cellar/wget/1.21.3/bin/wget","pid":"1684","platform_binary":"0","seq_num":"2041","signing_id":"","team_id":"","time":"1646404708","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 12:05:00 2022 UTC","unixTime":1646395500,"epoch":0,"counter":79,"numerics":false,"columns":{"cdhash":"b4774fd5b708273b0ec28d6557406175ee43f466","child_pid":"","cmdline":"screencapture -c test.png ","cmdline_count":"3","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/screencapture OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"3109","original_parent":"969","parent":"969","path":"/usr/sbin/screencapture","pid":"1314","platform_binary":"1","seq_num":"1353","signing_id":"com.apple.screencapture","team_id":"","time":"1646395330","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 12:05:00 2022 UTC","unixTime":1646395500,"epoch":0,"counter":79,"numerics":false,"columns":{"cdhash":"b4774fd5b708273b0ec28d6557406175ee43f466","child_pid":"","cmdline":"screencapture -h ","cmdline_count":"2","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/screencapture OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"3106","original_parent":"969","parent":"969","path":"/usr/sbin/screencapture","pid":"1313","platform_binary":"1","seq_num":"1352","signing_id":"com.apple.screencapture","team_id":"","time":"1646395317","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 12:05:00 2022 UTC","unixTime":1646395500,"epoch":0,"counter":79,"numerics":false,"columns":{"cdhash":"b4774fd5b708273b0ec28d6557406175ee43f466","child_pid":"","cmdline":"screencapture ","cmdline_count":"1","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/screencapture OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"3103","original_parent":"969","parent":"969","path":"/usr/sbin/screencapture","pid":"1312","platform_binary":"1","seq_num":"1351","signing_id":"com.apple.screencapture","team_id":"","time":"1646395313","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 12:05:00 2022 UTC","unixTime":1646395500,"epoch":0,"counter":79,"numerics":false,"columns":{"cdhash":"c685cd8254683d4bf7560031817a2996cbd5d58c","child_pid":"","cmdline":"find / -name inputs.conf ","cmdline_count":"4","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/find OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"3091","original_parent":"969","parent":"969","path":"/usr/bin/find","pid":"1310","platform_binary":"1","seq_num":"1348","signing_id":"com.apple.find","team_id":"","time":"1646395246","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 12:05:00 2022 UTC","unixTime":1646395500,"epoch":0,"counter":79,"numerics":false,"columns":{"cdhash":"c685cd8254683d4bf7560031817a2996cbd5d58c","child_pid":"","cmdline":"find / name=inputs.conf ","cmdline_count":"3","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/find OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"3087","original_parent":"969","parent":"969","path":"/usr/bin/find","pid":"1309","platform_binary":"1","seq_num":"1347","signing_id":"com.apple.find","team_id":"","time":"1646395226","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 11:59:14 2022 UTC","unixTime":1646395154,"epoch":0,"counter":78,"numerics":false,"columns":{"cdhash":"c685cd8254683d4bf7560031817a2996cbd5d58c","child_pid":"","cmdline":"find ","cmdline_count":"1","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/find OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2913","original_parent":"969","parent":"969","path":"/usr/bin/find","pid":"1252","platform_binary":"1","seq_num":"1268","signing_id":"com.apple.find","team_id":"","time":"1646395145","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 11:59:14 2022 UTC","unixTime":1646395154,"epoch":0,"counter":78,"numerics":false,"columns":{"cdhash":"828c2b54fdf2c64e328e586a960479d8f3c40eee","child_pid":"","cmdline":"crontab -h ","cmdline_count":"2","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/crontab OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2910","original_parent":"969","parent":"969","path":"/usr/bin/crontab","pid":"1251","platform_binary":"1","seq_num":"1267","signing_id":"com.apple.crontab","team_id":"","time":"1646395137","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 11:59:14 2022 UTC","unixTime":1646395154,"epoch":0,"counter":78,"numerics":false,"columns":{"cdhash":"828c2b54fdf2c64e328e586a960479d8f3c40eee","child_pid":"","cmdline":"crontab ","cmdline_count":"1","cwd":"/opt/splunkforwarder/etc/system/local","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=patrick SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.uNLERO0JPP/Listeners __CF_USER_TEXT_ENCODING=0x0:0:3 LSCOLORS=Gxfxcxdxbxegedabagacad MAIL=/var/mail/root PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin PWD=/opt/splunkforwarder/etc/system/local LANG=de_DE.UTF-8 SHLVL=1 SUDO_COMMAND=/bin/sh HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.3.7 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/crontab OLDPWD=/opt/splunkforwarder ","env_count":"23","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2907","original_parent":"969","parent":"969","path":"/usr/bin/crontab","pid":"1250","platform_binary":"1","seq_num":"1266","signing_id":"com.apple.crontab","team_id":"","time":"1646395121","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 11:53:16 2022 UTC","unixTime":1646394796,"epoch":0,"counter":77,"numerics":false,"columns":{"cdhash":"c685cd8254683d4bf7560031817a2996cbd5d58c","child_pid":"","cmdline":"find . ! -name . -mtime +7 -delete -print ","cmdline_count":"9","cwd":"/private/var/rwho","egid":"0","env":"TERM=unknown SHELL=/bin/sh USER=root SUDO_USER=root SUDO_UID=0 MAIL=/var/mail/root PATH=/usr/bin:/bin:/usr/sbin:/sbin PWD=/var/rwho SHLVL=1 SUDO_COMMAND=/etc/periodic/daily/140.clean-rwho HOME=/var/root LOGNAME=root SUDO_GID=0 OLDPWD=/ _=/usr/bin/find ","env_count":"15","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2504","original_parent":"1136","parent":"1136","path":"/usr/bin/find","pid":"1137","platform_binary":"1","seq_num":"1083","signing_id":"com.apple.find","team_id":"","time":"1646394623","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 11:53:16 2022 UTC","unixTime":1646394796,"epoch":0,"counter":77,"numerics":false,"columns":{"cdhash":"c685cd8254683d4bf7560031817a2996cbd5d58c","child_pid":"","cmdline":"find -dx . -fstype local ! -name . -type d -empty -mtime +3 ! -name .vfs_rsrc_streams_* ! -name .X*-lock ! -name .X11-unix ! -name .ICE-unix ! -name .font-unix ! -name .XIM-unix ! -name quota.user ! -name quota.group -delete -print ","cmdline_count":"39","cwd":"/private/tmp","egid":"0","env":"TERM=unknown SHELL=/bin/sh USER=root SUDO_USER=root SUDO_UID=0 MAIL=/var/mail/root PATH=/usr/bin:/bin:/usr/sbin:/sbin PWD=/tmp SHLVL=1 SUDO_COMMAND=/etc/periodic/daily/110.clean-tmps HOME=/var/root LOGNAME=root SUDO_GID=0 OLDPWD=/ _=/usr/bin/find ","env_count":"15","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2456","original_parent":"1121","parent":"1121","path":"/usr/bin/find","pid":"1124","platform_binary":"1","seq_num":"1068","signing_id":"com.apple.find","team_id":"","time":"1646394622","uid":"0","username":"root","version":"4"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Fri Mar  4 11:53:16 2022 UTC","unixTime":1646394796,"epoch":0,"counter":77,"numerics":false,"columns":{"cdhash":"c685cd8254683d4bf7560031817a2996cbd5d58c","child_pid":"","cmdline":"find -dx . -fstype local -type f -atime +3 -mtime +3 -ctime +3 ! -name .X*-lock ! -name .X11-unix ! -name .ICE-unix ! -name .font-unix ! -name .XIM-unix ! -name quota.user ! -name quota.group -delete -print ","cmdline_count":"36","cwd":"/private/tmp","egid":"0","env":"TERM=unknown SHELL=/bin/sh USER=root SUDO_USER=root SUDO_UID=0 MAIL=/var/mail/root PATH=/usr/bin:/bin:/usr/sbin:/sbin PWD=/tmp SHLVL=1 SUDO_COMMAND=/etc/periodic/daily/110.clean-tmps HOME=/var/root LOGNAME=root SUDO_GID=0 OLDPWD=/ _=/usr/bin/find ","env_count":"15","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2453","original_parent":"1121","parent":"1121","path":"/usr/bin/find","pid":"1123","platform_binary":"1","seq_num":"1067","signing_id":"com.apple.find","team_id":"","time":"1646394622","uid":"0","username":"root","version":"4"},"action":"added"}