Account usage auditing

Contributor II


We have some security requirements that look for a few things:

1) we centralize server logs, so if a server is ever compromised we have copies of events we care about
2) if certain accounts are failing to login to the server or succeeding that alerts get generated

I know with Universal Logging much of what gets recorded on the system is no longer in a plain text log file and needs the "log" tool. Even the audit logs need "praudit" to be able to parse them.

Is anyone else succeeding in sending log files out to external systems for centralized logging (like can be done on Windows)? The only solution i've heard about involves creating a Launch Daemon to run the "log" command and spit everything out to a text file, then use 3rd party tools to read that in. Not great.

Has anyone else found in the logs where you can see specifically any time an account is used and has a failure? (not just at login). But also all login/logout events? Jamf can show successes, but doesn't record failures.