Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.

My answer here has a tar file that contains the script.
https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html

#!/bin/bash
# Usage: ./mac_log_monitor.sh
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.

DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh   # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt   # Setup the date file.
if [ ! -e "$DATE_FILE" ]                # Does the date file exist.
then                            # No. date file does not exist.
  if [ ! -e "$DATE_PATH" ]
  then
    mkdir $DATE_PATH
  fi
  date -v -1w +"%F %T" > $DATE_FILE         # Set start date to -1 week to get old logs. Redeploying overwrites this.
fi

START_DATE=`cat $DATE_FILE`             # Set start date for log reading.
date +"%F %T" > $DATE_FILE              # Set new start date for next run. 
END_DATE=`cat $DATE_FILE`               # Set end date for log reading.

# File with keywords to grep from logs.
INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf

# File with keywords to exclude from logs.
EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf

# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []

# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE