Installation

Mac OS client logs into splunk

Explorer

I'm tasked with getting our Mac OS clients (desktops and laptops) to log the following to splunk:

Authentication success
Authentication failures
Invalid login
Adding/removing user accounts
User Account Modification
Installation of software
Modification of relevant configuration, such as firewall, logs etc

I can't find any configuration docs for getting these types of logs from OS X -> splunk.
After reading a couple of the answers here I also found that noone seems to have had any problems with it or at least not asked any questions about it, besides that the asl(syslog)-files in OS X now is binary and hence not read by the universal forwarder.

Am I really the first one to wonder how this should be done?

Labels (2)

Communicator

Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.

My answer here has a tar file that contains the script.
https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html

#!/bin/bash
# Usage: ./mac_log_monitor.sh
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.

DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh   # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt   # Setup the date file.
if [ ! -e "$DATE_FILE" ]                # Does the date file exist.
then                            # No. date file does not exist.
  if [ ! -e "$DATE_PATH" ]
  then
    mkdir $DATE_PATH
  fi
  date -v -1w +"%F %T" > $DATE_FILE         # Set start date to -1 week to get old logs. Redeploying overwrites this.
fi

START_DATE=`cat $DATE_FILE`             # Set start date for log reading.
date +"%F %T" > $DATE_FILE              # Set new start date for next run. 
END_DATE=`cat $DATE_FILE`               # Set end date for log reading.

# File with keywords to grep from logs.
INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf

# File with keywords to exclude from logs.
EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf

# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []

# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE

Explorer

I have posted some MacOS configuration info here https://patent-ed.com/category/os/splunk/ - I also know CMDSecurity has an app to help with this and more https://www.cmdsec.com/cmdreporter/

0 Karma

Explorer

Has anybody found a solution on how to get Mac OS client logs into splunk ?

0 Karma

Explorer

After having created a support case with splunk and chatting with an employee I've deployed the downloadable pkg to some of my Macs and it seems to work pretty good.

Be aware of the applescripts that make assumptions that's probably not relevant for anyone though.

0 Karma

Explorer

I would greatly appreciate finding out more about this said package? please. Can you share your contact at Splunk with me?

0 Karma

Explorer

Apparently he's not with splunk anymore...

0 Karma

Path Finder

I share your pain... Did you make progress with this?

There is an old document that doesn't seem to work for current versions of Mac OS X:
https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

0 Karma

Communicator

I think they just used the Universal Forwarder. The first line of the install instructions says this.

Double-click on the DMG file. A Finder window that contains splunkforwarder.pkg opens.

0 Karma

Revered Legend
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!