@ericbenfer
So this might not help but I'll try ... a few years back we tested this code to export the syslog and it looked like it worked.. after a few tries we were able to tell when a usb drive was plugged in but it wasn't important enough... it kinda just brought up bigger questions like what is are events that somebody needs to know about and how does that process look in our org.. Yes that order doesn't make sense but that is how we got it working : ) and most of it came from your Splunk link...
That said I think with Sierra Apple changed how logging works so I don't think this will work anymore ( not that I have tried) I have booked marked this page for when I want to dig back into it...
Hopefully this is enough to get you started...
https://eclecticlight.co/?s=log
#!/bin/sh
# Stopping syslog to edit
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
#Adding sshd module to syslog need for full CIS syslog fowarding
syslog -module com.openssh.sshd enable 1
# Restarting syslog
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
# Appending the following line to syslog.conf for syslog fowarding
echo "*.* @XXX.XXX.XXX.XXX:9997" >> /etc/syslog.conf
# Starting and stoping syslog.plist for syslog fowarding
launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 3
launchctl load -w /System/Library/LaunchDaemons/com.apple.syslogd.plist
C
