new here and to splunk - i'm hoping to use splunk to help audit security events under OS X server (running 10.7.4) for both Apple File Server events and SMB server events.
I've got splunk running fine and have the OS X server's syslogd forwarding, in theory, all events to splunk via adding this to syslog.conf and bouncing syslogd after:
splunk is happily consuming data from the OS X server, but when I make some AFP or SMB connections to it, I don't see anything show up.
Any ideas? I can see some historical events of these tyoes in the system.log viewer in the Console, but my test events don't show up there either.
thank you for any help!
ok, so setting the activityLog key to true has made it send some info for AFS into the system log. thanks for that, MarioM. There are some options in that prefs file that imply that it should log file/folder actions but I don't see any being logged.
have you try that to enable looging?
-Open NetInfo Manager (found in the Applications/Utilities folder).
-In NetInfo Manager, choose /config/AppleFileServer.
-Choose the "activity_log" property. Change its value from "0" to "1".
-Choose "Save" from the NetInfo Manager "Domain" menu.
-Stop and restart File Sharing in System Prefs.
-Find your log in /Library/Logs/ApplefileService/AppleFileServiceAccess.log
you would think so, no?
so here is where it gets hinky. in OS X 10.7 Server, Apple has removed the log settings from the file sharing UI and it looks like nothing is getting logged into the AFS log, nor is there an SMBd log that I can see.
so, the original question is where I'm still at. how to configure syslogd to be grabbing these events and sending them out to splunk. as I said before, some AFS events have shown up in the system.log but my test connections haven't. and, how can we enable the AFS/SMB logging when it seems like Apple has taken away those knobs and dials?