{
	"id": "ce91a8b5-8569-4abb-b103-70b580f12687",
	"created_at": "2026-04-06T02:11:32.089181Z",
	"updated_at": "2026-04-10T13:11:18.532463Z",
	"deleted_at": null,
	"sha1_hash": "fe8e9e35e9c94f11352073808548feba10347473",
	"title": "What is emond? - Magnusviri",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152777,
	"plain_text": "What is emond? - Magnusviri\r\nBy Magnusviri\r\nArchived: 2026-04-06 01:49:47 UTC\r\nI've been struggling with my log scanner that emails and sends SMS texts and I wondered if there was a better way. I found\r\nthat emond does basically the same thing and found little documentation about it (but enough that I could figure out how to\r\nuse it). So I got on one of those tangents and figured out so much that I felt compelled to write it down so that when I forget\r\nit all I can find better documentation if I ever wanted to use it again.\r\nThe name emond is short for Event Monitor Daemon. It is an OS X command located at /sbin/emond. I think it was added to\r\nOS X Server around 10.5 (2007). It was added to regular OS X in 10.7 (2011). There is very little documentation about this\r\ncommand (a short man page, a half a page in the 10.6 Server Admin guide, and a mention in a Peachpit book).\r\nThere are a few things that imply this tool has been neglected by Apple. First, it's has had bugs. Doing a websearch for\r\nemond brings up many webpages of people who have trouble with emond either taking 100% of the processor, either\r\ncrashing (and restarting over and over thanks to launchd), or it fills up the system.log file with messages. I've seen this\r\nmyself but because of the lack of documentation and my lack of understanding of what it was I fixed it with a restart.\r\nSecond, a supporting script at /usr/libexec/emlog.pl looks sloppy. There are sections that were commented out in 10.9 with\r\nmention that the functionality was replaced by the audit mechanism and it's still the same in 10.11. There are variables that\r\nare declared but not used and even a whole subroutine that isn't used (it was used in 10.8 and below). There is also the text \"\r\n(for now...)\" tacked onto an explanation, indicating that some functionality is likely to change in the future, a change that\r\nnever occurred.\r\nI have been able to figure a little about how emond works and it just has the same plist configuration driven feel of launchd.\r\nThis is just a guess, but it looks to me like emond was meant to be a full featured notification system that was conceived\r\naround the same time as launchd and the Apple System Logger (ASL), both which were introduced in 10.4. I also think it\r\nwas eventually suppose to be documented more so that others could use it (like me).\r\nApple changed directions between 10.6 and 10.7. I don't know what happened inside of the company (ok, it was the iPhone)\r\nand I haven't really thought all of the changes out, but 10.5 (released Oct 2007) and 10.6 (released Aug 2009) were\r\namazingly well documented. And of course 10.7 (released Jul 2011) was when OS X Server became an application instead\r\nof an OS, lost a large portion of it's functionality, and there hasn't really been much documentation since 10.6. I think emond\r\nwas affected by this change.\r\nThe whole time I've written this I've debated if this is worth documenting as much as I am especially because Apple should\r\ndocument it and also because 10.9 OS X Server almost migrated away from it completely. Maybe it will go away in a future\r\nOS. But I know I'll forget all of this once I go back to my regular tasks and it still works in 10.11 and I might want to use it\r\nmore than just what I've already decided to do.\r\nI've mostly looked at 10.8 Server, 10.9, 10.9 Server, and 10.11. I briefly looked at 10.7 to see if it was there (it was--\r\nprobably because the server OS version was replaced by the app so they had to move this to the regular OS--and suddenly\r\nI'm wondering just how much of 10.6 Server was moved to 10.7...). It's not in 10.6 (non-server version). I don't have easy\r\naccess to the server versions of 10.5, 10.6, 10.10 or 10.11 right now, but based on a comment on a webpage I think it first\r\nshowed up in 10.5 Server.\r\nSo, here is what I've found, presented as quickly as possible.\r\nWhat starts emond (launchd)\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 1 of 13\n\nIt all starts with launchd. The plist at /System/Library/LaunchDaemons/com.apple.emond.plist specifies the\r\nQueueDirectories of /private/var/db/emondClients. On my 10.9 OS X Server, there is an empty file in there named\r\ncom.apple.server. So if something is in that directory, emond starts up. I just ran this command on a non-server to start it.\r\nsudo touch /private/var/db/emondClients/bla\r\nemond's config and rule files\r\nWhen emond starts up, it reads it's plist file at /etc/emond.d/emond.plist. There is a man page for this file, which suggest to\r\nme that Apple intended on others to modify it (there are many missing man pages, I can't see why Apple would make one\r\nunless it was done by a developer on his own initiative). This plist file doesn't really contain anything remarkable. On my\r\n10.9 OS X Server the following line is added, which tells it to look for more rules in the Server.app bundle.\r\n\u003ckey\u003eadditionalRulesPaths\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cstring\u003e/Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/\u003c/string\u003e\r\nAfter it reads it's pref file it reads all of the files located in /etc/emond.d/rules/. All of my computers have this file in it,\r\nwhich is disabled by default.\r\nSampleRules.plist\r\nSome of my computers have this file. I didn't see a pattern to explain why some have it and others don't.\r\nXsan.plist\r\nOn my 10.8 Server I have these files in /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/.\r\nAdaptiveFirewall.plist\r\nDHABlock.plist\r\nDiskStatus.plist\r\nEmondCertificateExpiring.plist\r\nHostBlockingLogic.plist\r\nNetworkAlertControl.plist\r\ncom.apple.assetcache.plist\r\ncom.apple.disks.disappeared.plist\r\ncom.apple.disks.smart.status.plist\r\ncom.apple.disks.space.plist\r\ncom.apple.dovecot.plist\r\ncom.apple.mail.virus.plist\r\ncom.apple.network.configurationchange.plist\r\ncom.apple.softwareupdate.updateavailable.plist\r\ncom.apple.timemachine.alerts.plist\r\nOn my 10.9 Server I have these 3 files in that directory.\r\nAdaptiveFirewall.plist\r\nDHABlock.plist\r\nHostBlockingLogic.plist\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 2 of 13\n\nIt looks like all of the files from 10.8 Server have been replaced in 10.9 Server by everything in this directory:\r\n/Applications/Server.app/Contents/ServerRoot/System/Library/Alerts\r\nCaching.bundle\r\nCertificateAlerts.bundle\r\nCommon.bundle\r\nDisk.bundle\r\nFirewall.bundle\r\nMail.bundle\r\nNetworkConfiguration.bundle\r\nProfileManager.bundle\r\nSoftwareUpdate.bundle\r\nTimeMachine.bundle\r\nXcodeServer.bundle\r\n10.8 also includes a file at this path.\r\n/Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/alert_mail_theme.mime\r\nIt is pretty obvious this is the template for sending emails. This file has been slightly changed and moved to the following\r\npath in 10.9 Server.\r\n/Applications/Server.app/Contents/ServerRoot/System/Library/Alerts/Common.bundle/Contents/Resources/AlertsMailTheme.mime\r\nOn 10.9 Server I ran fs_usage and sent a test alert to see if emond is executed and it's not. Instead it looks like control goes\r\nfrom Server.app to servermgrd, to AlertsDaemon, then to sendmail.\r\nThis is one of the things that says to me that Apple is moving away from emond. If I had 10.11 Server I could check, but I'm\r\nguessing emond is totally unused.\r\nTriggering events at startup, periodic.daily.midnight, and with the Mach service\r\nOnce emond reads the rule files it processes all rules with an event type of \"startup\". In some rule files you'll see this text.\r\n\u003ckey\u003eeventTypes\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cstring\u003estartup\u003c/string\u003e\r\n\u003c/array\u003e\r\nAfter these startup events are executed emond just sits and waits for a message or for a periodic event. The config file for\r\nemond has a key named \"periodicEvents\", which defines the periodic.daily.midnight event. It looks like this.\r\n\u003ckey\u003eperiodicEvents\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eeventType\u003c/key\u003e\r\n \u003cstring\u003eperiodic.daily.midnight\u003c/string\u003e\r\n \u003ckey\u003estartTime\u003c/key\u003e\r\n \u003cstring\u003e0\u003c/string\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 3 of 13\n\nOther than startup and periodic events, emond just sits and waits.\r\nThe launchd plist file for emond specifies a Mach service named com.apple.emond.evtq. I think \"evtq\" is short for \"event\r\nqueue.\" Anything should be able to send something directly to emond using this Mach service (too bad I don't know how to\r\nsend messages to a Mach service with a script--I bet Python could do it, but I'm not interested enough to check).\r\nemlog.pl\r\nThe script emlog.pl (10.11 version) is started by a launchd plist file\r\n(/System/Library/LaunchDaemons/com.apple.emlog.plist). The plist file specifies a socket listener on port 60762. Based on\r\nthe contents of the script I am pretty sure that typically this script processes one line of text from system.log or secure.log\r\nand then quits. I have no idea what is reading the log files and sending the text to the script and don't much care.\r\nThe script checks to see if the line it is parsing matches some patterns and if it does then it constructs an event string and\r\nsends that to xssendevent. The event string is formated as ASCII plist. Here are some example event strings.\r\n$eventString = \"{ eventType = auth.failure; eventSource = emlog.pl; eventDetails = {clientIP = \\\"$addr\\\"; hostPort = 21;\r\n$eventString = \"{ eventType = auth.failure; eventSource = emlog.pl; eventDetails = {clientIP = \\\"$address\\\"; protocolName\r\n$eventString = \"{ eventType = auth.failure; eventSource = emlog.pl; eventDetails = {username = \\\"$username\\\"; clientIP = \\\r\n$eventString = \"{ eventType = auth.success; eventSource = emlog.pl; eventDetails = {username = \\\"$username\\\"; clientIP = \\\r\n$eventString = \"{ eventType = network.probe; eventSource = emlog.pl; eventDetails = #{sourceIP = \\\"$address\\\"; port = 22;}\r\nemlog.pl sends the event string to xssendevent using this perl code.\r\nopen $OUTSTREAM, \"|/usr/libexec/xssendevent\" or die \"Cannot launch /usr/libexec/xssendevent $!\";\r\n...\r\nprint $OUTSTREAM $eventString;\r\nxssendevent\r\nI am pretty sure xssendevent is one of the things that sends messages to the com.apple.emond.evtq Mach service. So\r\nxssendevent just reads stdin and I believe xssendevent turns the plist to an NSDictionary object and sends that to the Mach\r\nservice com.apple.emond.evtq. This kind of makes xssendevent a command line bridge emond.\r\nEvent type\r\nOnce an event is sent to emond, I believe emond looks through all of the rules it has and finds any events that match the\r\n\"eventType\". I already mentioned the \"startup\" and \"periodic.daily.midnight\" events. The other event types are all defined in\r\nthe event strings and the rule plist files. For example, emlog.pl creates an event with the following string.\r\n\"{ eventType = auth.failure; eventSource = emlog.pl; eventDetails = {clientIP = \\\"$addr\\\"; hostPort = 21; protocolName =\r\nThe file /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules/AdaptiveFirewall.plist contains an event\r\nwith that name \"auth.failure\" with this code.\r\n\u003ckey\u003eeventTypes\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cstring\u003eauth.failure\u003c/string\u003e\r\n\u003c/array\u003e\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 4 of 13\n\nSo the event type names can really be anything you want, you just have to have an event match a rule. This system sounds a\r\nlot like (NSDistributedNotificationCenter)\r\n[https://developer.apple.com/library/mac/documentation/Cocoa/Reference/Foundation/Classes/NSDistributedNotificationCenter_Cla\r\nThis is a list of some of the event types I've seen.\r\nauth.failure\r\nauth.success\r\ncom.apple.network.suppress.notifications\r\ncom.apple.network.suppress.notifications\r\ncom.apple.xsan.fibreEvents\r\ncom.apple.xsan.overQuota.group\r\ncom.apple.xsan.overQuota.user\r\ncom.apple.xsan.testNotification\r\ncom.apple.xsan.volFreespace\r\ncom.apple.xsan.volRestart\r\nsecurity.action.host_blocked\r\nsmtp.receive.badrecipient\r\nVariables\r\nBefore I can talk about the next step you have to understand variables. Rules can define variables. Here is an example of a\r\nrule defined variable. This is what you'd see in the plist file for a rule.\r\n\u003ckey\u003evariables\u003c/key\u003e\r\n\u003cdict\u003e\r\n \u003ckey\u003ehostBlockThreshold\u003c/key\u003e\r\n \u003cinteger\u003e25\u003c/integer\u003e\r\n \u003ckey\u003ehostMinBlockTime\u003c/key\u003e\r\n \u003cinteger\u003e15\u003c/integer\u003e\r\n\u003c/dict\u003e\r\nI am pretty sure variables can also be defined by the eventDetails portion of the event string sent to xssendevent. For\r\nexample, this event string from emlog.pl defines \"clientIP\", \"hostPort\", and \"protocolName\". I believe eventType is also\r\nturned into a variable.\r\n\"{ eventType = auth.failure; eventSource = emlog.pl; eventDetails = {clientIP = \\\"$addr\\\"; hostPort = 21; protocolName =\r\nThere are also some builtin variables. Here are the 2 I've observed.\r\nbuiltin:hostName\r\nbuiltin:now\r\nYou can also use the global keyword. This implies there is variable scope...\r\nglobal:lastSuppressionTime\r\nUse a variable like this:\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 5 of 13\n\n${variableName}\r\nHere are real examples (including one named eventType).\r\n${event:blockDuration}\r\n${event:clientIP}\r\n${event:eventTimestamp}\r\n${event:eventType}\r\n${event:hostAddress}\r\nSince a rule plist file can have multiple rules (the root of the plist is an array instead of a dict) you can have rules that\r\nactually change variables that were previously defined. For example here is how one variable was incremented.\r\n\u003ckey\u003e${old}\u003c/key\u003e\r\n\u003cstring\u003e${old} + 1\u003c/string\u003e\r\nYou can also do some other fancy stuff in the brackets.\r\n${builtin:now-24:00:00.00}\r\n${event:freePercent%.2f}\r\nYou can also load variables from a file\r\n\u003ckey\u003eloadVariablesFromFile\u003c/key\u003e\r\n\u003cstring\u003e/Library/Preferences/Xsan/notifications3.plist\u003c/string\u003e\r\nThere are also a section in the emond.plist file for initialVariables.\r\nEvent criterion\r\nNext, there is criterion. If a criterion exists, it must be true for the actions to be executed. Criterion are basically if statements\r\nformated as plist. You have an operator and operands. The operators I've seen are as follows.\r\nLessThan\r\nGreaterThan\r\nTrue\r\nDefined\r\nNotEmpty\r\nThere are probably more (like Equal or NotEqual) and you'd probably see them if you ran strings on the emond binary.\r\nThe operand is a variable name or, if you use the bracket notation, the value of the variable. Here are a few examples.\r\n${FreeSpaceThreshold} \u003e ${event:Percentage}\r\n\u003ckey\u003ecriterion\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eoperator\u003c/key\u003e\r\n \u003cstring\u003eGreaterThan\u003c/string\u003e\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 6 of 13\n\n\u003ckey\u003eoperands\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003e${FreeSpaceThreshold}\u003c/string\u003e\r\n \u003cstring\u003e${event:Percentage}\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\ntrue\r\n\u003ckey\u003ecriterion\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eoperator\u003c/key\u003e\r\n \u003cstring\u003eTrue\u003c/string\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\ndefined event:clientIP\r\n\u003ckey\u003ecriterion\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eoperator\u003c/key\u003e\r\n \u003cstring\u003eDefined\u003c/string\u003e\r\n \u003ckey\u003eoperands\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003eevent:clientIP\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\nglobal:notificationContacts != \"\"\r\n\u003ckey\u003ecriterion\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eoperator\u003c/key\u003e\r\n \u003cstring\u003eNotEmpty\u003c/string\u003e\r\n \u003ckey\u003eoperands\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003eglobal:notificationContacts\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\n${${event:clientIP}-BadAuthCount} \u003e ${hostBlockThreshold}\r\n\u003ckey\u003ecriterion\u003c/key\u003e\r\n\u003carray\u003e\r\n \u003cdict\u003e\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 7 of 13\n\n\u003ckey\u003eoperator\u003c/key\u003e\r\n \u003cstring\u003eGreaterThan\u003c/string\u003e\r\n \u003ckey\u003eoperands\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003e${${event:clientIP}-BadAuthCount}\u003c/string\u003e\r\n \u003cstring\u003e${hostBlockThreshold}\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\nPutting if statements in plist form takes a whole lot more text than if you were to just write \"if ( something1 \u003e something2\r\n)\".\r\nThere is also this key. I'm guessing this turns the array of criterion into or's instead of and's.\r\n\u003ckey\u003eallowPartialCriterionMatch\u003c/key\u003e\r\nActions\r\nOnce an eventType matches and the criterion (if any) are met, then the actions are performed. I found these different actions.\r\nLog\r\nSendEmail\r\nSendSMS\r\nSendNotification\r\nRunCommand\r\nThis is what the log action looks like.\r\n\u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eLog\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003eHost at ${event:clientIP} will be blocked for at least ${hostMinBlockTime} minutes\u003c/string\u003e\r\n \u003ckey\u003efacility\u003c/key\u003e\r\n \u003cstring\u003eAdaptiveFirewall\u003c/string\u003e\r\n \u003ckey\u003elogLevel\u003c/key\u003e\r\n \u003cstring\u003eNotice\u003c/string\u003e\r\n \u003ckey\u003elogType\u003c/key\u003e\r\n \u003cstring\u003eSyslog\u003c/string\u003e\r\n\u003c/dict\u003e\r\nHere is another log action that uses ASL instead of syslog.\r\n\u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eLog\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003e${event:eventTimestamp} Host at ${event:hostAddress} was blocked for ${event:blockDuration}\u003c/string\u003e\r\n \u003ckey\u003efacility\u003c/key\u003e\r\n \u003cstring\u003eAdaptiveFirewall\u003c/string\u003e\r\n \u003ckey\u003elogLevel\u003c/key\u003e\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 8 of 13\n\n\u003cstring\u003eWarning\u003c/string\u003e\r\n \u003ckey\u003elogType\u003c/key\u003e\r\n \u003cstring\u003eASL\u003c/string\u003e\r\n \u003ckey\u003eparameters\u003c/key\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003eeventType\u003c/key\u003e\r\n \u003cstring\u003e${event:eventType}\u003c/string\u003e\r\n \u003ckey\u003ehostAddress\u003c/key\u003e\r\n \u003cstring\u003e${event:hostAddress}\u003c/string\u003e\r\n \u003c/dict\u003e\r\n\u003c/dict\u003e\r\nSend Email. Not all of these keys are required. I got by with just type, message, subject, and recipientAddresses.\r\n\u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eSendEmail\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003ePlease do not be alarmed. This is only a test for SAN ${event:SANName}.\u003c/string\u003e\r\n \u003ckey\u003esubject\u003c/key\u003e\r\n \u003cstring\u003e${event:SANName}: Test notification\u003c/string\u003e\r\n \u003ckey\u003elocalizationBundlePath\u003c/key\u003e\r\n \u003cstring\u003e/usr/libexec/xsanmgr/bundles/xsanmgr_xsan.bundle\u003c/string\u003e\r\n \u003ckey\u003erelayHost\u003c/key\u003e\r\n \u003cstring\u003e${event:relayHost}\u003c/string\u003e\r\n \u003ckey\u003eadminEmail\u003c/key\u003e\r\n \u003cstring\u003e${event:adminEmail}\u003c/string\u003e\r\n \u003ckey\u003erecipientAddresses\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003e${event:emailRecipients}\u003c/string\u003e\r\n \u003c/array\u003e\r\n\u003c/dict\u003e\r\nSend SMS. I couldn't get this to work. If you really want to send an SMS you can use the SendEmail action and an email to\r\ntext message service. Most carriers have their own and you can find many at www.emailtextmessages.com.\r\nIt is also worth mentioning that if you use a small carrier that rents from a larger carrier, use the larger carrier's service. Since\r\nsome carriers rent from multiple larger carriers you might need to try several different large carriers or call them and ask\r\nwhat cell towers your phone connects to (it depends on the SIM card).\r\n\u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eSendSMS\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003ePlease do not be alarmed. This is only a test for SAN ${event:SANName}.\u003c/string\u003e\r\n \u003ckey\u003elocalizationBundlePath\u003c/key\u003e\r\n \u003cstring\u003e/usr/libexec/xsanmgr/bundles/xsanmgr_xsan.bundle\u003c/string\u003e\r\n \u003ckey\u003erelayHost\u003c/key\u003e\r\n \u003cstring\u003e${event:relayHost}\u003c/string\u003e\r\n \u003ckey\u003eadminEmail\u003c/key\u003e\r\n \u003cstring\u003e${event:adminEmail}\u003c/string\u003e\r\n \u003ckey\u003erecipientAddresses\u003c/key\u003e\r\n \u003carray\u003e\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 9 of 13\n\n\u003cstring\u003e${event:smsRecipients}\u003c/string\u003e\r\n \u003c/array\u003e\r\n\u003c/dict\u003e\r\nSend notification. The OS Notification Center?... I don't know (didn't feel like testing).\r\n\u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eSendNotification\u003c/string\u003e\r\n \u003ckey\u003ename\u003c/key\u003e\r\n \u003cstring\u003eEventMonitorNotification\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003eEventMonitorNotification\u003c/string\u003e\r\n \u003ckey\u003edetails\u003c/key\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003ehostBlockedTime\u003c/key\u003e\r\n \u003cstring\u003e${hostMinBlockTime}\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003eHostBlocked\u003c/string\u003e\r\n \u003c/dict\u003e\r\n\u003c/dict\u003e\r\nJust run a command.\r\n\u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eRunCommand\u003c/string\u003e\r\n \u003ckey\u003ecommand\u003c/key\u003e\r\n \u003cstring\u003e/System/Library/Filesystems/acfs.fs/Contents/bin/xsandaily\u003c/string\u003e\r\n \u003ckey\u003euser\u003c/key\u003e\r\n \u003cstring\u003eroot\u003c/string\u003e\r\n \u003ckey\u003egroup\u003c/key\u003e\r\n \u003cstring\u003ewheel\u003c/string\u003e\r\n \u003ckey\u003earguments\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003e-a\u003c/string\u003e\r\n \u003cstring\u003e${event:clientIP}\u003c/string\u003e\r\n \u003cstring\u003e-t\u003c/string\u003e\r\n \u003cstring\u003e${hostMinBlockTime}\u003c/string\u003e\r\n \u003c/array\u003e\r\n\u003c/dict\u003e\r\nMore reading\r\nThere's a paragraph that mentions emond in the book (Mac OS X Security and Mobility v10.6: Using a Firewall)\r\n[http://www.peachpit.com/articles/article.aspx?p=1573022\u0026seqNum=2]. The most interesting part of that paragraph\r\nis that it says, \"emond is an off-limits subsystem\". That makes me smile.\r\nThere's also an old very interesting Apple discussion thread. In it keeperofthecheese says, \"the Leopard release of this\r\nfeature was intended to be Apple-internal, which is why this (pretty powerful, IMHO) feature is not yet widely used\r\nthroughout the system.\" I'm pretty sure that refers to emond. This seems to indicate to me that emond was intended to\r\nbe much more. I wonder if keeperofthecheese worked on emond or knew the person who did.\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 10 of 13\n\nMac OS X Server Advanced Server Administration Version 10.6 Snow Leopard spends half of page 184 discussing\nemond in more detail than the man pages. It also says, \"the file formats and settings in emond.conf and rules plists\nare not documented for customer use. Tampering could result in an unusable notification system and is unsupported.\"\nemond man page.\nemond.plist man page. The most interesting part is that it tells how to enable debugging and logging, which would\nprobably help figure out a lot more than my documentation.\nemlog.pl man page.\nxssendevent man page.\nConclusion\nSo we aren't suppose to use emond and it looks like it's on the chopping block. But it's there for now and there is enough\ninformation to figure out how to use it if you want. I've been struggling with my own version of a log scanner that emails\nand texts and that's what finally motivated me to look at emond.\nBut seriously, after looking at it, I'm not too convinced it is even worth it. It appears to be a plist (data) driven system just to\nsend emails, log messages, etc. Considering how easy it is to log (logger), run a command (system or ``), or send an email in\na perl script (pipe to sendmail), I can't see why I'd want to use emond instead of a script. And the criterion section is just\natrocious. This whole system could be replaced with a few dozen much more readable lines of Perl (or any other scripting\nlanguage, even BASH). There's got to be more to this than I know about. In fact, as I write that, I remember the\nalert_mail_theme.mime file and that it is an email template. Ok, it would take more than a few dozen lines of Perl to\nduplicate that functionality. But I guess I don't need that much power.\nI think for now all I'm really going to do is create a startup rule that sends me an email. That way I know when one of my\nservers restarts. Here it is.\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nnameStartup EmailenabledeventTypesstartupactionstypeSendEmailmessage${builtin:hostName} started up.subject${builtin:hostName} started up.adminEmailroot http://www.magnusviri.com/Mac/what-is-emond.html\nPage 11 of 13\n\n\u003ckey\u003erecipientAddresses\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003ejames.reynolds@example.com\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n \u003cdict\u003e\r\n \u003ckey\u003etype\u003c/key\u003e\r\n \u003cstring\u003eSendEmail\u003c/string\u003e\r\n \u003ckey\u003emessage\u003c/key\u003e\r\n \u003cstring\u003e${builtin:hostName} started up.\u003c/string\u003e\r\n \u003ckey\u003esubject\u003c/key\u003e\r\n \u003cstring\u003e${builtin:hostName} started up.\u003c/string\u003e\r\n \u003ckey\u003eadminEmail\u003c/key\u003e\r\n \u003cstring\u003eroot\u003c/string\u003e\r\n \u003ckey\u003erecipientAddresses\u003c/key\u003e\r\n \u003carray\u003e\r\n \u003cstring\u003e123-456-7890@txt.att.net\u003c/string\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n \u003c/array\u003e\r\n \u003c/dict\u003e\r\n\u003c/array\u003e\r\n\u003c/plist\u003e\r\nOf course, the server that I really needed to be notified when it restarts is running OS X 10.6 client, so it doesn't even have\r\nemond. Irony. Here's the perl script and launchd plist that I'm using for it.\r\n#!/usr/bin/perl -w\r\nuse strict;\r\nchomp ( my $hostname = `hostname` );\r\nsend_mail (\r\n 'to' =\u003e 'james.reynolds@example.com',\r\n 'from' =\u003e 'root',\r\n 'subject' =\u003e \"$hostname started up.\",\r\n 'message' =\u003e \"$hostname started up.\",\r\n);\r\nsend_mail (\r\n 'to' =\u003e '123-456-7890@txt.att.net',\r\n 'from' =\u003e 'root',\r\n 'subject' =\u003e \"$hostname started up.\",\r\n 'message' =\u003e \"$hostname started up.\",\r\n);\r\nsub send_mail {\r\n my %h = @_;\r\n open SENDMAIL, \"|/usr/sbin/sendmail -oi -t\" or die \"/usr/sbin/sendmail: $!\\n\";\r\n print SENDMAIL \u003c\u003c \"EOF\";\r\nFrom: $h{'from'}\r\nTo: $h{'to'}\r\nSubject: $h{'subject'}\r\nhttp://www.magnusviri.com/Mac/what-is-emond.html\r\nPage 12 of 13\n\n$h{'message'}\nEOF\n close SENDMAIL;\n}\nAnd the launchd plist.\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\nLabelcom.magnusviri.startup_emailProgramArguments/usr/local/bin/startup_email.plRunAtLoadLaunchOnlyOnce Anyway, back to work I guess and figure out how to get my logscanner to work.\nPublished: 2016-04-07, last edited: 2020-05-11, Copyright © 2026 James Reynolds\nSource: http://www.magnusviri.com/Mac/what-is-emond.html\nhttp://www.magnusviri.com/Mac/what-is-emond.html\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.magnusviri.com/Mac/what-is-emond.html"
	],
	"report_names": [
		"what-is-emond.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441492,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe8e9e35e9c94f11352073808548feba10347473.pdf",
		"text": "https://archive.orkl.eu/fe8e9e35e9c94f11352073808548feba10347473.txt",
		"img": "https://archive.orkl.eu/fe8e9e35e9c94f11352073808548feba10347473.jpg"
	}
}