Installation

Mac OS client logs into splunk

jbygden
Explorer

I'm tasked with getting our Mac OS clients (desktops and laptops) to log the following to splunk:

Authentication success
Authentication failures
Invalid login
Adding/removing user accounts
User Account Modification
Installation of software
Modification of relevant configuration, such as firewall, logs etc

I can't find any configuration docs for getting these types of logs from OS X -> splunk.
After reading a couple of the answers here I also found that noone seems to have had any problems with it or at least not asked any questions about it, besides that the asl(syslog)-files in OS X now is binary and hence not read by the universal forwarder.

Am I really the first one to wonder how this should be done?

Labels (2)

dfronck
Communicator

Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.

My answer here has a tar file that contains the script.
https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html

#!/bin/bash
# Usage: ./mac_log_monitor.sh
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.

DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh   # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt   # Setup the date file.
if [ ! -e "$DATE_FILE" ]                # Does the date file exist.
then                            # No. date file does not exist.
  if [ ! -e "$DATE_PATH" ]
  then
    mkdir $DATE_PATH
  fi
  date -v -1w +"%F %T" > $DATE_FILE         # Set start date to -1 week to get old logs. Redeploying overwrites this.
fi

START_DATE=`cat $DATE_FILE`             # Set start date for log reading.
date +"%F %T" > $DATE_FILE              # Set new start date for next run. 
END_DATE=`cat $DATE_FILE`               # Set end date for log reading.

# File with keywords to grep from logs.
INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf

# File with keywords to exclude from logs.
EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf

# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []

# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE

eredux
Explorer

I have posted some MacOS configuration info here https://patent-ed.com/category/os/splunk/ - I also know CMDSecurity has an app to help with this and more https://www.cmdsec.com/cmdreporter/

0 Karma

Greendav
Explorer

Has anybody found a solution on how to get Mac OS client logs into splunk ?

0 Karma

jbygden
Explorer

After having created a support case with splunk and chatting with an employee I've deployed the downloadable pkg to some of my Macs and it seems to work pretty good.

Be aware of the applescripts that make assumptions that's probably not relevant for anyone though.

0 Karma

eredux
Explorer

I would greatly appreciate finding out more about this said package? please. Can you share your contact at Splunk with me?

0 Karma

jbygden
Explorer

Apparently he's not with splunk anymore...

0 Karma

bgstein
Path Finder

I share your pain... Did you make progress with this?

There is an old document that doesn't seem to work for current versions of Mac OS X:
https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

0 Karma

dfronck
Communicator

I think they just used the Universal Forwarder. The first line of the install instructions says this.

Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens.

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...