Getting Data In
Highlighted

How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

New Member

Hi,
new here and to splunk - i'm hoping to use splunk to help audit security events under OS X server (running 10.7.4) for both Apple File Server events and SMB server events.

I've got splunk running fine and have the OS X server's syslogd forwarding, in theory, all events to splunk via adding this to syslog.conf and bouncing syslogd after:
. @{my.server.ip.address}

splunk is happily consuming data from the OS X server, but when I make some AFP or SMB connections to it, I don't see anything show up.

Any ideas? I can see some historical events of these tyoes in the system.log viewer in the Console, but my test events don't show up there either.

thank you for any help!
-a

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

Motivator

it should be all in /var/log or /Library/Logs and if you enabled logging in file sharing it should be there /Library/Logs/AppleFileService/AppleFileServiceAccess.log

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

New Member

you would think so, no?

so here is where it gets hinky. in OS X 10.7 Server, Apple has removed the log settings from the file sharing UI and it looks like nothing is getting logged into the AFS log, nor is there an SMBd log that I can see.

so, the original question is where I'm still at. how to configure syslogd to be grabbing these events and sending them out to splunk. as I said before, some AFS events have shown up in the system.log but my test connections haven't. and, how can we enable the AFS/SMB logging when it seems like Apple has taken away those knobs and dials?

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

Motivator

have you try that to enable looging?
-Open NetInfo Manager (found in the Applications/Utilities folder).
-In NetInfo Manager, choose /config/AppleFileServer.
-Choose the "activity_log" property. Change its value from "0" to "1".
-Choose "Save" from the NetInfo Manager "Domain" menu.
-Stop and restart File Sharing in System Prefs.
-Find your log in /Library/Logs/ApplefileService/AppleFileServiceAccess.log

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

Motivator

or this:
to enable AFP logging you have to open with root privileges

/Library/Preferences/com.apple.AppleFileServer.plist

and set

activityLog

to

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

Motivator

But really this a question for Apple forums as if there is no data available anywhere then there is nothing that splunk can do

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

New Member

ok, so setting the activityLog key to true has made it send some info for AFS into the system log. thanks for that, MarioM. There are some options in that prefs file that imply that it should log file/folder actions but I don't see any being logged.

0 Karma
Highlighted

Re: How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

Motivator

then if this answered you question please accept the answer for those having similar question.Thanks.

0 Karma