macOS - Data Collection & Auditing - Get Automox macOS Softwareupdate Restart Logs

What the Softwareupdate Restart Log Retrieval Worklet does

This Automox Worklet™ reads the macOS softwareupdate restart log files located in /var/log/amagent/ and outputs their contents to your Automox Activity Log. The softwareupdate utility is Apple's command line tool for managing macOS updates and upgrades, and these logs capture restart-related events during the update process.

The Worklet retrieves both restart.log (standard output) and restart.err (error output) files. You can configure the number of lines to retrieve using the desired_line_count parameter, with a default of 20 lines per file.

Why access softwareupdate restart logs

When macOS updates fail to complete or endpoints do not restart as expected after patching, you lose visibility into what went wrong. Without access to the restart logs, troubleshooting becomes a time-consuming process of guessing whether the issue is network-related, permission-based, disk space constraints, or update package corruption. Endpoints stuck in failed update states leave your organization with security gaps when critical patches cannot be applied.

These logs are particularly useful when endpoints appear stuck in an update state, repeatedly prompt for restarts, or report update failures in the Automox console. The error log (restart.err) captures specific failure messages that help identify the root cause.

For IT teams managing macOS fleet updates, remote access to these logs reduces troubleshooting time and eliminates the need for users to manually retrieve and send diagnostic files.

How softwareupdate log retrieval works

1. Evaluation phase: The Worklet checks for the existence of /var/log/amagent/restart.log and /var/log/amagent/restart.err. If either file exists and contains data (file size greater than 0 bytes), the endpoint is flagged for remediation.

2. Remediation phase: The Worklet uses the tail command to retrieve the last N lines (configurable via desired_line_count) from both restart.log and restart.err files. If a file is empty, the Worklet outputs the file path with a message indicating the log is empty. Both outputs appear in your Activity Log.

Softwareupdate log retrieval requirements

• macOS workstation

• Automox Agent installed with restart logs present in /var/log/amagent/

• Configure desired_line_count parameter to control output volume (default: 20)

Expected restart log output

After running, the Activity Log displays the contents of both restart.log and restart.err files, clearly separated by header labels. The restart.log shows standard softwareupdate output including update progress and restart scheduling information.

Verification: Review the Activity Log output for entries indicating successful or failed restart attempts. Look for error messages in restart.err such as "Insufficient disk space", "Network connectivity failed", or "Package verification failed" which point to the root cause. Cross-reference timestamps in restart.log with system update records to track when the restart attempt occurred. Use this diagnostic information to resolve update failures and re-run the update process after addressing the identified issues.

How to validate get automox macos softwareupdate restart logs changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for get automox macos softwareupdate restart logs.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, elif, else.

4. Validate remediation effects from script operations such as exit, elif, tail, then rerun evaluation for compliance.