Hi ,

I would like to onboard MAC PC all Browser's history in to the Splunk.

Please suggest best way to onboard those logs.

~/Library/Safari/

 ~/Users/<username>/Library/Application /Support/Firefox/Profiles

~/Users/<username>/Library/Application/Support/Google/Chrome/Default/History

Your tar file doesn't exist anymore. It's an empty file. Can you re-share it?

Thanks for posting. How did you managed to deal with "log show" permissions? Is there any other way than putting user "splunk" into the admin group?

dseditgroup -o edit -a splunk -t user admin

I don't currently have a mac to test with and I'm not a Mac guy but something like this might work.

Add this to /etc/sudoers to permit the splunk user to run log without a password.
splunk ALL = NOPASSWD: /path/to/log

Edit the uf_macintosh/bin/mac_log_monitor.sh and add sudo to the command.

FROM
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE

TO
sudo /path/to/log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE

Let me know how it goes!

Thanks for the quick response and advice. I had to modify config entry a little, but not much.

splunk ALL=(ALL) NOPASSWD: /usr/bin/log

Just the thing I've noticed. In case the "log show" is not allowed to be run or some other exception happens, the script still updates the last_run_date.txt file. I am thinking of modifying the script so it would update the last_run_date.txt file after log show command would be successfully run.

Please provide step-by-step guidance to on how to get logs from Sierra to Splunk

One possibility is to use osquery to pull the data from asl and put it into a file monitored by the splunk forwarder. And of course osquery exposes lots of other stuff you could grab too.

https://medium.com/@clong/osquery-for-security-b66fffdf2daf
https://blog.kolide.com/monitoring-macos-hosts-with-osquery-ba5dcc83122d

This works - the part I'm struggling with is figuring out what to grab.

Working with the log command in Sierra lets you play with the logged data but I don't see any guidance or recommendations on what to grab to meet standard audit requirements. If you can grab everything great - but if you are concerned about license capacity then most of the stuff going to asl looks like noise and should be filtered at the host.

https://github.com/droe/xnumon might also help it's "sysmon for macos"

Bumping xnumon as a pretty complete solution to this problem. You'll need to transform the input to be CIM compliant since there is not an app available at the time but out of the box it's a fairly on par with what sysmon offers.

I'd be very happy to add a sample Splunk config for CIM compliant field extraction to xnumon, feel free to submit one on Github in an issue or pull request.

One other rabbit hole I went down to get audit log data is using auditreduce + praudit

Again this works - audit data goes to splunk - but produces mostly noise. It checks a compliance box without being particularly useful.

I'll check out xnumon. Thanks.

It is probably best to contact Splunk, if you need the data from unified logging. That way they can push SPL-129734 internally. For now we rely on some scripts from the Unix TA, I have heard that others use https://osquery.io/

The Splunkforwarder can be installed and configured to index information from unified logging. There is just no out of the box functionality for that.