topic Re: Mac OS client logs into splunk in Installation

Mac OS client logs into splunk

jbygden — Sat, 06 Jun 2020 16:11:01 GMT

I'm tasked with getting our Mac OS clients (desktops and laptops) to log the following to splunk:

Authentication success
Authentication failures
Invalid login
Adding/removing user accounts
User Account Modification
Installation of software
Modification of relevant configuration, such as firewall, logs etc

I can't find any configuration docs for getting these types of logs from OS X -> splunk.
After reading a couple of the answers here I also found that noone seems to have had any problems with it or at least not asked any questions about it, besides that the asl(syslog)-files in OS X now is binary and hence not read by the universal forwarder.

Am I really the first one to wonder how this should be done?

Re: Mac OS client logs into splunk

bgstein — Fri, 14 Apr 2017 18:25:02 GMT

I share your pain... Did you make progress with this?

There is an old document that doesn't seem to work for current versions of Mac OS X:
https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

Re: Mac OS client logs into splunk

somesoni2 — Fri, 14 Apr 2017 20:27:11 GMT

A similar discussion is here. Not sure how useful it is.

https://community.spiceworks.com/topic/562291-how-to-audit-log-file-access-events-on-mac-os-x

Re: Mac OS client logs into splunk

jbygden — Fri, 14 Apr 2017 22:02:41 GMT

After having created a support case with splunk and chatting with an employee I've deployed the downloadable pkg to some of my Macs and it seems to work pretty good.

Be aware of the applescripts that make assumptions that's probably not relevant for anyone though.

Re: Mac OS client logs into splunk

eredux — Thu, 31 Aug 2017 18:22:52 GMT

I would greatly appreciate finding out more about this said package? please. Can you share your contact at Splunk with me?

Re: Mac OS client logs into splunk

jbygden — Fri, 01 Sep 2017 07:15:40 GMT

Apparently he's not with splunk anymore...

Re: Mac OS client logs into splunk

dfronck — Tue, 19 Sep 2017 15:57:56 GMT

I think they just used the Universal Forwarder. The first line of the install instructions says this.

Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens.

Re: Mac OS client logs into splunk

Greendav — Sun, 15 Sep 2019 23:33:27 GMT

Has anybody found a solution on how to get Mac OS client logs into splunk ?

Re: Mac OS client logs into splunk

eredux — Mon, 16 Sep 2019 10:04:10 GMT

I have posted some MacOS configuration info here https://patent-ed.com/category/os/splunk/ - I also know CMDSecurity has an app to help with this and more https://www.cmdsec.com/cmdreporter/

Re: Mac OS client logs into splunk

dfronck — Mon, 16 Sep 2019 11:20:59 GMT

Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.

My answer here has a tar file that contains the script.
https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html

#!/bin/bash
# Usage: ./mac_log_monitor.sh
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.

DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh   # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt   # Setup the date file.
if [ ! -e "$DATE_FILE" ]                # Does the date file exist.
then                            # No. date file does not exist.
  if [ ! -e "$DATE_PATH" ]
  then
    mkdir $DATE_PATH
  fi
  date -v -1w +"%F %T" > $DATE_FILE         # Set start date to -1 week to get old logs. Redeploying overwrites this.
fi

START_DATE=`cat $DATE_FILE`             # Set start date for log reading.
date +"%F %T" > $DATE_FILE              # Set new start date for next run. 
END_DATE=`cat $DATE_FILE`               # Set end date for log reading.

# File with keywords to grep from logs.
INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf

# File with keywords to exclude from logs.
EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf

# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []

# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE