topic Re: Getting Events from MAC OS in Getting Data In

Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?

dokaas_2 — Thu, 17 Feb 2022 00:22:43 GMT

I'm a Windows guy working with Linux trying to get MAC OS events into Splunk. We don't have many MACs where I work, but we do have some. Does anyone have reference material on the inputs.conf for MAC OSs and how I get the events into Splunk? The Splunk UF is installed, but I need to know more about what to monitor on MAC OSs.

Re: Getting Events from MAC OS

isoutamo — Fri, 07 May 2021 17:56:39 GMT

Unfortunately there is no good native way to do it after Apple changed it's logging framework without any external programs/utils.

Here is some like which you could look:

Of course you must 1st know what you want to log from those nodes.

If those logs which you are interested are normal file based logs then collect those as any other logs in unix platforms.

r. Ismo

Re: Getting Events from MAC OS

magichat — Wed, 16 Feb 2022 06:19:45 GMT

You can see it at Universal logging and Jamf Protect

https://docs.jamf.com/jamf-protect/documentation/Unified_Logging.html

Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?

MaverickT — Sun, 28 Aug 2022 11:10:49 GMT

Since Splunk 9.x, Universal Forwarder supports Apple Unified Logging. But Splunk didn't release corresponding TA. So I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security:

https://splunkbase.splunk.com/app/6561/

I also published an app to visualize key security-relevant events from MacOS datasource:

https://splunkbase.splunk.com/app/6562/

Any improvement requests are welcome.

Re: Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?

cbastashutterfl — Mon, 31 Oct 2022 17:30:41 GMT

I am VERY interested in this. What did you use for your inputs from the UFA on the Mac endpoints?