Mac OS client logs into splunk


I'm tasked with getting our Mac OS clients (desktops and laptops) to log the following to splunk:

Authentication success
Authentication failures
Invalid login
Adding/removing user accounts
User Account Modification
Installation of software
Modification of relevant configuration, such as firewall, logs etc

I can't find any configuration docs for getting these types of logs from OS X -> splunk.
After reading a couple of the answers here I also found that noone seems to have had any problems with it or at least not asked any questions about it, besides that the asl(syslog)-files in OS X now is binary and hence not read by the universal forwarder.

Am I really the first one to wonder how this should be done?

Labels (2)


Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.

My answer here has a tar file that contains the script.

# Usage: ./
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.

DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh   # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt   # Setup the date file.
if [ ! -e "$DATE_FILE" ]                # Does the date file exist.
then                            # No. date file does not exist.
  if [ ! -e "$DATE_PATH" ]
    mkdir $DATE_PATH
  date -v -1w +"%F %T" > $DATE_FILE         # Set start date to -1 week to get old logs. Redeploying overwrites this.

START_DATE=`cat $DATE_FILE`             # Set start date for log reading.
date +"%F %T" > $DATE_FILE              # Set new start date for next run. 
END_DATE=`cat $DATE_FILE`               # Set end date for log reading.

# File with keywords to grep from logs.

# File with keywords to exclude from logs.

# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []

# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE


I have posted some MacOS configuration info here - I also know CMDSecurity has an app to help with this and more

0 Karma


Has anybody found a solution on how to get Mac OS client logs into splunk ?

0 Karma


After having created a support case with splunk and chatting with an employee I've deployed the downloadable pkg to some of my Macs and it seems to work pretty good.

Be aware of the applescripts that make assumptions that's probably not relevant for anyone though.

0 Karma


I would greatly appreciate finding out more about this said package? please. Can you share your contact at Splunk with me?

0 Karma


Apparently he's not with splunk anymore...

0 Karma

Path Finder

I share your pain... Did you make progress with this?

There is an old document that doesn't seem to work for current versions of Mac OS X:

0 Karma


I think they just used the Universal Forwarder. The first line of the install instructions says this.

Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens.

0 Karma

Revered Legend
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...