Unified Log Source

Example
yaml
sources:
  compact_log:
    type: unifiedlog
    format: compact
    include:
      - process: sudo
      - process: logind
    parser: "apple/unifiedlog:unifiedlog-compact"
    sink: logscale
  
  json_log:
    type: unifiedlog
    format: json
    include:
      - process: securityd
        predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
    parser: "apple/unifiedlog:unifiedlog-json"
    sink: logscale
            
sinks:
  logscale:
    type: humio
    token: $INGEST_TOKEN
    url: https://cloud.community.humio.com
Introduction

This configuration sets up log collection from macOS Unified Logs using both compact and JSON formats. It applies targeted filtering and parsing to extract meaningful log data from specified processes.

Step-by-Step
  1. yaml
    sources:
  compact_log:
    type: unifiedlog
    format: compact
    include:
      - process: sudo
      - process: logind
    parser: "apple/unifiedlog:unifiedlog-compact"
    sink: logscale
  
  json_log:
    type: unifiedlog
    format: json
    include:
      - process: securityd
        predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
    parser: "apple/unifiedlog:unifiedlog-json"
    sink: logscale

    This fragment defines two unified log sources: one in compact format and other in json format, each with its own parser and filtering logic.

  2. yaml
    sinks:
  logscale:
    type: humio
    token: $INGEST_TOKEN
    url: https://cloud.community.humio.com

    This fragment defines a logscale sink to receive and process logs from the configured and unified log sources.

  3. Event Result set.

Summary and Results

This example demonstrates Unifies Log configuration with compact and JSON sources, each using dedicated parsers and filters. Logs are routed to a LogScale sink for centralized analysis.