Apple Unified Logs

This package allows you to ingest Apple Unified log events using Falcon LogScale Collector and includes the parsers required to ensure accurate time-stamping and enrich the data with fields. From MacOS 10.12 up to recent versions, logs and system events are stored centrally in a database accessible from the Console.app and the terminal using the built-in log

Prerequisites

  • LogScale Collector 1.5.0 or above

  • LogScale 1.97.0 or above

Installing the Package

  1. Go to the repository where you want to save the collected data and click Settings

  2. Click Marketplace under Packages.

  3. Click apple/unifiedlogs.

  4. Click Install package and when the details of the package are displayed click Install.

Configuring The LogScale Collector

Whether you are using a local configuration file, or have enrolled in fleet management, the configuration is the same.

The following is an example configuration file for collecting unified logs: 

sources:
 compact_log:
   type: unifiedlog
   format: compact
   include:
     - process: sudo
     - process: logind
   parser: "apple/unifiedlog:unifiedlog-compact"
   sink: logscale

 json_log:
   type: unifiedlog
   format: json
   include:
     - process: securityd
       predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
   parser: "apple/unifiedlog:unifiedlog-json"
   sink: logscale

sinks:
 logscale:
   type: humio
   token: <ingest-token>
   url: <logscale-base-url> // example - https://cloud.community.humio.com

The logs can be formatted in two styles; compact and json. compact, as specified by its name, is compact and uses less storage, while the other style, json, is more comprehensive.

The configuration is complete when you have deployed and configured the Falcon LogScale Collector with a configuration such as that shown below, inserting the ingest token and your LogScale URL.

See Sources & Examples for more information on the configuration and the LogScale Collector.