If you are on Jamf Cloud you have to pay for Premium Cloud (+$20k/year) in order to get complete log forwarding to a SIEM.

If you are on-prem it's free by just installing a connector on the server.

The API won't give you enough information to generate proper security events.

What if we have Jamf PRO?

Jamf Pro can be hosted either in Jamf Cloud or on premises. As @afarnsworth mentions, if your Jamf Pro is hosted on Jamf servers you have to go with a Premium subscription. If your Jamf Pro is hosted on your own servers, just install your SIEM connector to forward the logs you need.

We rely on DataDogHQ as our SIEM and we use a mix of agent and Jamf Pro APIs to log the events we need. For example we use the use the Jamf Pro API to collect all compliance information we can get from the device inventory, then we use the agent to collect information on events like change management, access log and Jamf Pro log.

Thanks for the info!

We don't use premium jamf cloud and we ingest data into our data cloud platform. We do this a few ways, we have an API collector that runs every so many hours and does an async pull of all device records. Then we also ingest many different webhooks for event data.

Hi I have a requirement to send below logs to SIEM solution LogRhythm. Can you help me how to do it? Logrhythm agent wont support on Mac.

1. Successful and failed authentication attempts
2. Use of root privilege accounts, such as through su and sudo
3. Denied inbound connections, e.g. those blocked by packet filter
4. Command and shell history

@tlarkin Any chance you could provide a few details on your implementation for this?
Thanks in advance!

@tlarkin This would be helpful to our org as well if you're able to provide some more info. 

@tlarkin 

I know this is an old thread, but if you see this, can you come back here and share anything with us?  Thanks!