Getting Data In

Does anyone have reference material on the inputs.conf for MAC OSs and how to get the events into Splunk?

dokaas_2
Communicator

I'm a Windows guy working with Linux trying to get MAC OS events into Splunk.  We don't have many MACs where I work, but we do have some.  Does anyone have reference material on the inputs.conf for MAC OSs and how I get the events into Splunk?  The Splunk UF is installed, but I need to know more about what to monitor on MAC OSs.

 

Labels (1)
Tags (3)
0 Karma

MaverickT
Communicator

Since Splunk 9.x, Universal Forwarder supports Apple Unified Logging. But Splunk didn't release corresponding TA. So I decided to publish technology add-on to make things CIM compliant with Splunk Enterprise Security:

https://splunkbase.splunk.com/app/6561/

I also published an app to visualize key security-relevant events from MacOS datasource:

https://splunkbase.splunk.com/app/6562/

Any improvement requests are welcome.

cbastashutterfl
Explorer

I am VERY interested in this. What did you use for your inputs from the UFA on the Mac endpoints?

0 Karma

magichat
New Member

You can see it  at Universal logging and Jamf Protect

https://docs.jamf.com/jamf-protect/documentation/Unified_Logging.html

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Unfortunately there is no good native way to do it after Apple changed it's logging framework without any external programs/utils.

Here is some like which you could look:

Of course you must 1st know what you want to log from those nodes.

If those logs which you are interested are normal file based logs then collect those as any other logs in unix platforms.

r. Ismo

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...