Help

Syslog message tagging

sgoetz
Contributor

Posted on ‎10-30-2015 10:58 AM

My Security team wants me to setup Syslog to forward all authpriv messages to their Syslog server. I have done that with authpriv.* remoteIP

However they also want me to tag the messages with WORKSTATION. Does anyone know of a way to do that. This will be for all of our Mac clients.

Thanks,

Shawn

0 Kudos
6 REPLIES 6

gachowski
Valued Contributor II

Posted on ‎10-30-2015 01:37 PM

@sgoetz

Shawn, I don't have an answer for you... but I do have a question... as I also want to forward the syslogs to Spunk...and I can to that if I manually edit /etc/syslog.conf it forwards correctly, just like this link says to do...

https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

However when I try to automate adding the forwarding info it doesn't work. I have tried I few different types of scrips and just replacing syslog.conf with a manually edited syslog.conf with a .pkg in composer and I can't get it to work?

How did you automate it or has anybody automated it?

Thanks

C

0 Kudos

sgoetz
Contributor

Posted on ‎10-30-2015 02:00 PM

Hey @gachowski

I haven't tested using JAMF yet, but I wrote a quick script thats basically like this:

echo "authpriv.* @remoteIP" >> /etc/syslog.conf
launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

One thing to note. The space between authpriv.* and @remoteIP has to be a TAB space.

Hope this helps

Thanks
Shawn

0 Kudos

gachowski
Valued Contributor II

Posted on ‎10-30-2015 03:01 PM

Thanks Shawn, : ) I known about the tab : ) but it didn't try echo : ) i'll give it a try Monday!!!!

C

0 Kudos

gachowski
Valued Contributor II

Posted on ‎11-03-2015 03:41 PM

@sgoetz Shawn,

Just an FYI, that didn't work in my start up script.... the right info is in syslog.conf but it's not sending data to the splunk server : )

Thanks for your help!!! : )
C

0 Kudos

gachowski
Valued Contributor II

Posted on ‎11-04-2015 11:43 AM

@sgoetz

Shawn,

I screwed up my testing : )... I will follow up later today : )

C

0 Kudos

gachowski
Valued Contributor II

Posted on ‎11-04-2015 01:51 PM

@sgoetz

Thanks Shawn.... your suggestion did end up working in our 1st run scrip...

: ) C

0 Kudos