topic Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog in Getting Data In

How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

helpdeskinc — Mon, 17 Sep 2012 20:43:53 GMT

Hi,
new here and to splunk - i'm hoping to use splunk to help audit security events under OS X server (running 10.7.4) for both Apple File Server events and SMB server events.

I've got splunk running fine and have the OS X server's syslogd forwarding, in theory, all events to splunk via adding this to syslog.conf and bouncing syslogd after:
. @{my.server.ip.address}

splunk is happily consuming data from the OS X server, but when I make some AFP or SMB connections to it, I don't see anything show up.

Any ideas? I can see some historical events of these tyoes in the system.log viewer in the Console, but my test events don't show up there either.

thank you for any help!
-a

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

MarioM — Tue, 18 Sep 2012 05:30:24 GMT

it should be all in /var/log or /Library/Logs and if you enabled logging in file sharing it should be there /Library/Logs/AppleFileService/AppleFileServiceAccess.log

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

helpdeskinc — Tue, 18 Sep 2012 15:10:43 GMT

you would think so, no?

so here is where it gets hinky. in OS X 10.7 Server, Apple has removed the log settings from the file sharing UI and it looks like nothing is getting logged into the AFS log, nor is there an SMBd log that I can see.

so, the original question is where I'm still at. how to configure syslogd to be grabbing these events and sending them out to splunk. as I said before, some AFS events have shown up in the system.log but my test connections haven't. and, how can we enable the AFS/SMB logging when it seems like Apple has taken away those knobs and dials?

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

MarioM — Tue, 18 Sep 2012 20:09:29 GMT

have you try that to enable looging?
-Open NetInfo Manager (found in the Applications/Utilities folder).
-In NetInfo Manager, choose /config/AppleFileServer.
-Choose the "activity_log" property. Change its value from "0" to "1".
-Choose "Save" from the NetInfo Manager "Domain" menu.
-Stop and restart File Sharing in System Prefs.
-Find your log in /Library/Logs/ApplefileService/AppleFileServiceAccess.log

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

MarioM — Tue, 18 Sep 2012 20:12:15 GMT

or this:
to enable AFP logging you have to open with root privileges

/Library/Preferences/com.apple.AppleFileServer.plist

and set

activityLog

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

MarioM — Tue, 18 Sep 2012 20:13:41 GMT

But really this a question for Apple forums as if there is no data available anywhere then there is nothing that splunk can do

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

helpdeskinc — Wed, 26 Sep 2012 19:19:37 GMT

ok, so setting the activityLog key to true has made it send some info for AFS into the system log. thanks for that, MarioM. There are some options in that prefs file that imply that it should log file/folder actions but I don't see any being logged.

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

MarioM — Wed, 26 Sep 2012 21:00:24 GMT

then if this answered you question please accept the answer for those having similar question.Thanks.