I've got Forwarder set up on our OSX fleet with a modified BSM parsing app (link below) to parse and forward the logs in /var/audit. The problem is that BSM logs are created with root:wheel ownership. While chowning the dir works fine for all current logs, once the logs are rotated, the new file is again owned by root:wheel. Due to this, Forwarder is unable to open them. So this leaves me with a few options:
Run Forwarder as a separate, privileged user in the wheel group.
Add the users to the wheel group (cringe)
Set a config somewhere to force all new /var/audit logs to be created with different perms.
Option 3 would be the best, but I'm unable to find anything via my google-fu on how to do this with OpenBSM. Option 2 is a no-go for obvious reasons which leaves me with option 1 as far as I can tell. Is this really the best route to go, or am I missing another (and better) approach for deploying Forwarder?
You're correct: it's not technically a Splunk problem. Figured I'd ask here, though, as I can't imagine this problem hasn't already been solved by others who have to deal with OSX fleets. Regardless, I appreciate the links and a fourth option to consider.