I am in need to monitor the the writes from an unknown application to a known directory through creatbyproc.d. I'm going to have to leave this up and running for up to 36 hours which will not be possible without any filters without filling up the entire HDD.

These logs get very big very quickly and I need a way to only log particular information.

Currently my command reads:

sudo creatbyproc.d > /Users/MyUser/output.txt

A good answer would filter by folder: /private/tmp/

A great answer would allow wild card filtering: /private/tmp/*.txt

  • Use grep here is the man page for grep on osx there are some differences

    sudo creatbyproc.d | grep -E "/private/tmp/.*txt$" > /Users/MyUser/output.txt
