Help

Anyone sending log info to syslog?

Taylor_Armstron
Valued Contributor

Posted on ‎06-26-2018 12:36 PM

Way overdue, but working on trying to extract certain events from the unified logs and sending to our syslog server. Anyone tackle this at all? Alternate plan is to use the BSM logs, but trying to figure out what the cleanest approach is.

0 Kudos
Reply
4 REPLIES 4

gachowski
Valued Contributor II

Posted on ‎06-26-2018 02:12 PM

It's been on my list of to-dos for a while too.. I have this booked marked as a starting point but that is as far as I have gone... : )

https://eclecticlight.co/?s=log

C

0 Kudos
Reply

ericbenfer
Contributor III

Posted on ‎06-26-2018 05:51 PM

Talk to the guys at https://cmdsec.com/

0 Kudos
Reply

sullrich
New Contributor III

Posted on ‎06-27-2018 06:36 AM

OSX uses syslogd. Simply configure it to forward /var/log/jamf.log events to a different sylogd server. https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

0 Kudos
Reply

Taylor_Armstron
Valued Contributor

Posted on ‎06-27-2018 06:45 AM

Uses syslog, yes. But with the new-style unified logging, there's nothing IN the syslog unless we put it there. That's the challenge.

Not everything we're requiring is in the jamf.log, some isn't being written to disk at all anymore. Thus the need to scrape the unified logs and forward relevant entries.

0 Kudos
Reply