MacOS SysLog Redirection

AJPinto
Honored Contributor II

I am being tasked with sorting out a solution for macOS SysLog redirection. Security is wanting/needing macOS user Authentication logs among other logs. Most of the tools I am seeing died when Apple updated to Universal Logging. I'm working with our Splunk team to see what options we have with Splunk. However, I am wondering what other organizations and admins are doing for log redirection.

9 REPLIES 9

sdagley
Esteemed Contributor II

<eatingpopcorn/> I'm looking forward to you posting what you find out as this topic has been on my "Things to wonder about if I had available time to wonder about them" list for a while.

AJPinto
Honored Contributor II

lol. So far I am running dry. Most all application that did this died with the universal logging migration. Not so universal I guess...

 

Apple has recommended two solutions, neither of which seem viable. Though the Apple Engineer did mention these were from old notes he had from years ago.

 

  • LogFaces - This application seems to be currently patched. However the vendor does not have a SSL certificate on their site and the are not using a licensed version of eclipse for their application. To me those kinds of things are usually red flags.
  • Papertrail - This is a Solar Windows product, as per usual it needs a tool to run on macOS to have logs redirected. This tool is of course 3rd party and not supported, and has not been updated in 4 years. Generally speaking I try to avoid stuff that has not been updated in the last 12 months. 

I have not attempted to build either of the tools above yet. I need to follow back up on the suggestions on this thread and see where I get.

 

Lastly JAMF Recommended using JAMF Protect. I do not have experience with that client yet, but we will see.

mthoma
New Contributor III

I tried nxlog and had a hard time understanding how to configure for specific logs to be stored on our syslog server - their documentation did not help much. Now looking for something simpler but haven't had much time with other priorities.

Hi,
I am Gábor from NXLog presales. I would like to help you with the NXLog configuration. We are continously working on our macos features and even the documentation to make it more easy to use, and for this purpose any feedback is welcome. Please contact us at presales@nxlog.org

romank
New Contributor

With NXLog collector you have to configure both parts of the story:

1. Log collection on macOS side
2. Forwarding collected logs to selected datastore (Splunk in your case).

What is the step you're stuck at? NXLog is really flexible, so it requires some manual configuration, but at the end of the day you are going to benefit exactly from this :)

AJPinto
Honored Contributor II

Its a first for me in seeing a "vendor" make an account on JAMF Nation for the purpose of replying a comment lol. 

 

I will dig in to NXLog, thank you.

romank
New Contributor

Not just one, but two accounts! lol

We are really open at NXLog to any user feedback. Should you have any questions, you are welcome here or DM

boberito
Valued Contributor

It isn't just for compliance, but check out Jamf Compliance Reporter. That will help. Splunk now does Unified Logging forwarding, but basically it's just dumping the last 15 minutes or so of unified logging to a file and ingesting it over and over.

gabester
Contributor III

also <eatingpopcorn/> though I'd settle for being able to collect good information about what users have done with their admin rights e.g. sudo and hings they installed because they couldn't find them in Self Service... I don't really need to know how many times softwareupdated failed to get bridge device or the inscrutable firehose of Apple's unified logging... 

I assume when you're shipping that off to something like splunk or a SIEM that you've got a really nasty set of predicates to pull out a lot less noise?