{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:25:40 2026 UTC","unixTime":1771345540,"epoch":0,"counter":506,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s /var/log/system.log ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=root SUDO_UID=0 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 \"SUDO_COMMAND=/bin/bash -c audit -s /var/log/system.log && rm -rf /var/log/system.log\" COLORFGBG=15;0 HOME=/var/root LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=0 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/audit ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"139","original_parent":"42870","parent":"42870","parent_pidversion":"112575","path":"/usr/sbin/audit","pid":"42871","pidversion":"112577","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"57","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345533","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:25:40 2026 UTC","unixTime":1771345540,"epoch":0,"counter":506,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"audit -s /var/log/system.log && rm -rf /var/log/system.log\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/bin/bash -c audit -s /var/log/system.log && rm -rf /var/log/system.log\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"137","original_parent":"42869","parent":"42869","parent_pidversion":"112573","path":"/bin/bash","pid":"42870","pidversion":"112575","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"56","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1771345533","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:25:40 2026 UTC","unixTime":1771345540,"epoch":0,"counter":506,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo bash -c \"audit -s /var/log/system.log && rm -rf /var/log/system.log\" ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"135","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42869","pidversion":"112573","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"55","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345533","uid":"0","username":"root","version":"8"},"action":"added"}