Exporting Mac syslogs

Contributor III

We have a request to export logs from Mac systems to a central ArcSight server.
There is a lot to unpack for this request.

What logs should be sent. All logs is not the correct answer. What logs are you exporting?

There is no Mac client for ArcSight (like Splunk). Besides Splunk, what are others doing to export logs?
Even though this is from Splunk, these instruction seem to be agnostic enough to exporting syslog data. – https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

As an alternative, I am thinking "exporting" the Jamf server's computer history logs would be good.
Is anyone exporting Jamf Server logs?


Valued Contributor II


So this might not help but I'll try ... a few years back we tested this code to export the syslog and it looked like it worked.. after a few tries we were able to tell when a usb drive was plugged in but it wasn't important enough... it kinda just brought up bigger questions like what is are events that somebody needs to know about and how does that process look in our org.. Yes that order doesn't make sense but that is how we got it working : ) and most of it came from your Splunk link...

That said I think with Sierra Apple changed how logging works so I don't think this will work anymore ( not that I have tried) I have booked marked this page for when I want to dig back into it...

Hopefully this is enough to get you started...


# Stopping syslog to edit
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

#Adding sshd module to syslog need for full CIS syslog fowarding
syslog -module com.openssh.sshd enable 1

# Restarting syslog
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

# Appending the following line to syslog.conf for syslog fowarding
echo "*.*   @XXX.XXX.XXX.XXX:9997" >> /etc/syslog.conf

# Starting and stoping syslog.plist for syslog fowarding
launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 3
launchctl load -w /System/Library/LaunchDaemons/com.apple.syslogd.plist


Contributor III

useful discussion so I thought I'd update it.
On 10.14, and probably 10.13, you can't unload com.apple.syslogd.plist because of SIP. You can however

echo ". @XXX.XXX.XXX.XXX:9997" >> /etc/syslog.conf

then restart the device.

Valued Contributor

Take a look at CmdReporter. New tool, very responsive developer. We're about to trial it for this exact scenario - Mac logs to ArcSight. https://cmdsec.com/cmdreporter/