Guide: macOS audit logging and unified log

What gets logged, where logs live (Unified Logging, /var/log, ASL), and how to query them. Topics: log show syntax and useful filters, finding SSH auth events, spotting failed sudo attempts, setting log retention policy, and what to look for when investigating an incident. Complements the security audit script which captures point-in-time state.