I am being tasked with sorting out a solution for macOS SysLog redirection. Security is wanting/needing macOS user Authentication logs among other logs. Most of the tools I am seeing died when Apple updated to Universal Logging. I'm working with our Splunk team to see what options we have with Splunk. However, I am wondering what other organizations and admins are doing for log redirection.
lol. So far I am running dry. Most all application that did this died with the universal logging migration. Not so universal I guess...
Apple has recommended two solutions, neither of which seem viable. Though the Apple Engineer did mention these were from old notes he had from years ago.
I have not attempted to build either of the tools above yet. I need to follow back up on the suggestions on this thread and see where I get.
Lastly JAMF Recommended using JAMF Protect. I do not have experience with that client yet, but we will see.
With NXLog collector you have to configure both parts of the story:
1. Log collection on macOS side
2. Forwarding collected logs to selected datastore (Splunk in your case).
What is the step you're stuck at? NXLog is really flexible, so it requires some manual configuration, but at the end of the day you are going to benefit exactly from this :)
It isn't just for compliance, but check out Jamf Compliance Reporter. That will help. Splunk now does Unified Logging forwarding, but basically it's just dumping the last 15 minutes or so of unified logging to a file and ingesting it over and over.
also <eatingpopcorn/> though I'd settle for being able to collect good information about what users have done with their admin rights e.g. sudo and hings they installed because they couldn't find them in Self Service... I don't really need to know how many times softwareupdated failed to get bridge device or the inscrutable firehose of Apple's unified logging...
I assume when you're shipping that off to something like splunk or a SIEM that you've got a really nasty set of predicates to pull out a lot less noise?