On macOS, you can use macOS’s unified logging to display commands run using the sudo command line tool. On macOS Sonoma and earlier, both successful and unsuccessful commands were logged by default. For example, here’s what you would see on macOS Sonoma when the following command was run first unsuccessfully and then successfully:

Assuming you ran this command within the past three hours, you could use the following command to see both the successful and unsuccessful attempts to run the command above in the unified logs:

On macOS Sonoma, you should see both the successful and unsuccessful attempts to run the sudo date command (along with any other successful and unsuccessful attempts to use the sudo command.)

However, on macOS Sequoia if you run the same set of successful and unsuccessful attempts and then run the log command shown above, you would only see the unsuccessful attempts in the unified logs:

Why is this? For more details, please see below the jump.

On macOS Sequoia and earlier, the sudo command’s behavior is defined by the sudoers configuration file stored in the /etc directory. For macOS Sequoia, the following section was added to the /etc/sudoers configuration file:

The !log_allowed setting means that the sudo command should not log allowed, or successful, attempts to run the sudo command. That means only the not allowed, or unsuccessful, commands will get logged to the unified logging.

If you want to configure the logging to use the pre-Sequoia behavior, you can edit the /etc/sudoers configuration file in one of the following ways:

1. Comment out the new !log_allowed line:

2. Remove the new !log_allowed line:

Once the /etc/sudoers configuration file has been edited to either comment out or remove the new !log_allowed line, the sudo command on macOS Sequoia should log both successful and unsuccessful commands to the unified logging.