Collect Splashtop Streamer Logs from Mac Endpoints

What the Splashtop log collector for Mac does

This Automox Worklet™ collects Splashtop Streamer log archives from Mac endpoints and packages them into a single zip file the support team can hand off with a ticket. The Worklet reads the per-user Splashtop log directory at ~/Library/Application Support/Splashtop Streamer/Logs, which is where the streamer writes its rolling zip bundles, and copies every archive it finds into a staging directory at /tmp/Splashtop_Logs.

Each archive is unzipped in place so the raw SPLOG.txt and any companion files land in the same staging directory. The script then verifies that SPLOG.txt is present after extraction so a missing or corrupted source archive is flagged in the activity log rather than silently producing an empty bundle. The collected contents are rebundled into /tmp/Splashtop_Logs_macOS.zip with the zip command and the archive path is echoed to stdout, which Automox captures in the policy run output.

The collection step is non-destructive on the source logs. The Worklet copies the streamer's own zip archives rather than moving them, so a subsequent Splashtop reinstall, support session, or in-product log export still works as expected. Pair this Worklet with the Restart Splashtop Streamer Service Worklet when a remote-support failure requires both log evidence and a service bounce, and with the Uninstall Splashtop Streamer Worklet when the endpoint is being retired from the remote-support footprint.

Why collect Splashtop logs through Automox

When a Splashtop remote-support session fails on a Mac, the answer is in the streamer log. The problem is that the log lives in an Application Support directory most end users have never opened, on a machine that may be offline, in another time zone, or already power-cycled before anyone on the support team can reach it. The standard workflow of asking the user to email the log file fails when the user does not know the path, has trouble navigating to ~/Library, or has already attempted a reinstall that rotated the relevant archive.

Automox Worklets take action on endpoints across the fleet without an admin sitting in front of each one. This collection Worklet is the action that pulls Splashtop log archives at scale, so a support engineer reviewing a flaky remote-support tier can collect evidence from ten endpoints in one policy run instead of chasing ten users for log files. The output zip is written to a known location under /tmp, which is consistent across macOS versions and accessible to the next step in the support workflow.

Running collection through Automox also removes the user from the support loop for an evidence-gathering step that does not need them. End users do not have to interrupt their work, open a directory they cannot normally see, or worry about attaching the wrong file to a ticket. The support engineer queues the Worklet against the affected endpoint, picks up the resulting archive path from the activity log, and proceeds with triage.

How Splashtop log collection works

1. Evaluation phase: The Worklet checks whether the Splashtop Streamer log directory exists at ~/Library/Application Support/Splashtop Streamer/Logs and whether that directory contains at least one .zip archive. If both conditions are true, the endpoint is reported non-compliant with the message Splashtop Streamer logs found and the remediation step is queued. If the directory is missing or empty, the endpoint is reported compliant and no collection runs.

2. Remediation phase: The remediation script creates the staging directory /tmp/Splashtop_Logs with mkdir -p, copies every .zip from the Splashtop log directory into the stage with cp, and unzips each archive into the same location. The script then checks for SPLOG.txt to confirm extraction succeeded, rebuilds /tmp/Splashtop_Logs_macOS.zip from the staged contents with the zip command, and echoes the final archive path to stdout so Automox surfaces it in the policy run activity log.

Splashtop log collection requirements

• Mac endpoint running a supported version of macOS with Splashtop Streamer currently or previously installed

• Splashtop log directory present at ~/Library/Application Support/Splashtop Streamer/Logs with at least one .zip archive (the streamer creates these automatically during normal operation)

• Root privileges for the Automox agent (the default agent context already meets this) so the script can read the per-user Application Support directory and write to /tmp

• Writable /tmp filesystem on the endpoint for the staging directory and the final /tmp/Splashtop_Logs_macOS.zip output

• cp, unzip, and zip available in PATH (all are standard on macOS and require no separate install)

• Process to retrieve /tmp/Splashtop_Logs_macOS.zip from the endpoint after the Worklet runs (for example, FixNow followed by an MDM file pull, or a follow-up Worklet that uploads the archive to a support drop point)

Expected Splashtop log archive output

After the Worklet runs, the endpoint has a file at /tmp/Splashtop_Logs_macOS.zip containing the extracted Splashtop Streamer log contents, including SPLOG.txt and any companion files the streamer bundled into its own archives. The Automox activity log for the policy run shows the messages Splashtop Streamer logs found, SPLOG.txt extracted successfully, Splashtop logs collected successfully, and Archive location: /tmp/Splashtop_Logs_macOS.zip. The exit status is 0 on success and the same path is reported across every endpoint, so a support engineer reviewing a batch of runs knows where to look without inspecting each output individually.

Validate the Worklet on one endpoint where Splashtop Streamer is installed and has been used recently, confirm the zip archive lands at /tmp/Splashtop_Logs_macOS.zip, and unzip it on a workstation to verify SPLOG.txt is readable. If the activity log reports Log directory not found or SPLOG.txt not found after extraction, the source endpoint either does not have Splashtop Streamer installed under the expected path or the streamer has not yet written its first log archive. The Worklet does not modify the original log archives in the Splashtop directory, so it is safe to run on a recurring schedule or on demand during an active support investigation.