Help

Anyone sending log info to syslog?

Taylor_Armstron
Valued Contributor

Posted on ‎06-26-2018 12:36 PM

Way overdue, but working on trying to extract certain events from the unified logs and sending to our syslog server. Anyone tackle this at all? Alternate plan is to use the BSM logs, but trying to figure out what the cleanest approach is.

0 Kudos
4 REPLIES 4

gachowski
Valued Contributor II

Posted on ‎06-26-2018 02:12 PM

It's been on my list of to-dos for a while too.. I have this booked marked as a starting point but that is as far as I have gone... : )

https://eclecticlight.co/?s=log

C

0 Kudos

ericbenfer
Contributor III

Posted on ‎06-26-2018 05:51 PM

Talk to the guys at https://cmdsec.com/

0 Kudos

sullrich
New Contributor III

Posted on ‎06-27-2018 06:36 AM

OSX uses syslogd. Simply configure it to forward /var/log/jamf.log events to a different sylogd server. https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

0 Kudos

Taylor_Armstron
Valued Contributor

Posted on ‎06-27-2018 06:45 AM

Uses syslog, yes. But with the new-style unified logging, there's nothing IN the syslog unless we put it there. That's the challenge.

Not everything we're requiring is in the jamf.log, some isn't being written to disk at all anymore. Thus the need to scrape the unified logs and forward relevant entries.

0 Kudos