macOS - Forensics - Get Automox Remote Control Log (rc-Module.log)

What the Remote Control Log Retrieval Worklet does

This Automox Worklet™ reads the Automox Remote Control log file located at /usr/local/var/log/remotecontrold.log on macOS endpoints and outputs the contents to your Automox Activity Log. This provides remote visibility into remote control module operations without requiring direct endpoint access.

The Worklet operates in four configurable modes: retrieve the last N lines (default 100), retrieve the entire log file, retrieve all entries from a specific date, or retrieve the last N lines from a specific date. Select the mode by setting the worklet_mode variable in the remediation script.

Why retrieve Remote Control logs remotely

The remotecontrold.log file contains detailed information about Automox Remote Control sessions, including connection attempts, authentication events, session establishment, and disconnection reasons. When remote sessions fail or behave unexpectedly, these logs provide the diagnostic data needed for troubleshooting.

Remote log retrieval is particularly valuable when the Remote Control feature itself is not working. You cannot use Remote Control to access an endpoint and check logs if Remote Control is the component that is failing.

This Worklet provides an alternative diagnostic path that works through the standard Automox Agent communication channel, independent of the Remote Control module.

How Remote Control log retrieval works

1. Evaluation phase: The Worklet checks whether the remotecontrold.log file exists at /usr/local/var/log/remotecontrold.log. If the file exists, the endpoint is flagged for remediation. If the file does not exist (Remote Control may not be enabled), the Worklet exits without scheduling remediation.

2. Remediation phase: Based on the configured worklet_mode, the Worklet uses tail, cat, or grep commands to extract the requested log content. Mode 1 retrieves the last N lines using tail. Mode 2 retrieves the full log using cat. Modes 3 and 4 filter entries by a specified date using grep. Output is sent to the Activity Log.

Remote Control log retrieval requirements

• macOS endpoint (workstation or server)

• Automox Remote Control enabled on the endpoint with log file at /usr/local/var/log/remotecontrold.log

• For date-filtered modes (3 and 4), set the desired_date variable in yyyy-mm-dd format

• Configure worklet_mode variable (1-4) to select retrieval method

Expected Remote Control log output

After running, the selected portion of the remotecontrold.log appears in your Automox Activity Log for the endpoint. You can verify this change by checking System Settings or the relevant system configuration. The output includes timestamps and detailed messages about Remote Control module operations.

Review entries related to session initiation, authentication handshakes, connection establishment, and session termination. This information helps identify network issues, authentication failures, or configuration problems affecting remote access capabilities.

How to validate get automox remote control log (rc-module.log) changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for get automox remote control log (rc-module.log).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as function, tail, cat, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for get automox remote control log (rc-module.log). This supports repeatable maintenance tasks workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as function, tail, cat. Use these indicators to verify that endpoint changes match intended policy outcomes.