Unified Log Source

Example
yaml
sources:
 compact_log:
   type: unifiedlog
   format: compact
   include:
     - process: sudo
     - process: logind
   parser: "apple/unifiedlog:unifiedlog-compact"
   sink: logscale
  
json_log:
  type: unifiedlog
  format: json
  include:
    - process: securityd
      predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
  parser: "apple/unifiedlog:unifiedlog-json"
  sink: logscale
           
sinks:
 logscale:
  type: humio
  token: $INGEST_TOKEN
  url: https://cloud.community.humio.com
Introduction

This configuration sets up log collection from macOS Unified Logs using both compact and JSON formats. It applies targeted filtering and parsing to extract meaningful log data from specified processes.

Step-by-Step
  1. yaml
    sources:
 compact_log:
   type: unifiedlog
   format: compact
   include:
     - process: sudo
     - process: logind
   parser: "apple/unifiedlog:unifiedlog-compact"
   sink: logscale
  
json_log:
  type: unifiedlog
  format: json
  include:
    - process: securityd
      predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
  parser: "apple/unifiedlog:unifiedlog-json"
  sink: logscale

    This fragment defines two unified log sources: one in compact format and other in json format, each with its own parser and filtering logic.

  2. yaml
    sinks:
 logscale:
  type: humio
  token: $INGEST_TOKEN
  url: https://cloud.community.humio.com

    This fragment defines a logscale sink to recieve and process logs from the configured and unified log sources.

  3. Event Result set.

Summary and Results

This example demonstrates Unifies Log configuration with compact and JSON sources, each using dedicated parsers and filters. Logs are routed to a LogScale sink for centralized analysis.