apple/unifiedlog
| Vendor | Apple Inc. |
| Author | CrowdStrike |
| Version | 1.0.1 |
| Minimum LogScale Version | 1.20.0 |
This package allows you to ingest Apple Unified log events using Falcon LogScale Collector and includes the parsers required to ensure accurate time-stamping and enrich the data with fields. From MacOS 10.12 up to recent versions, logs and system events are stored centrally in a database accessible from the Console.app and the terminal using the built-in log
Prerequisites
LogScale Collector 1.5.0 or above
LogScale 1.97.0 or above
Installing the Package
Go to the repository where you want to save the collected data and click
Click under Packages.
Click .
Click and when the details of the package are displayed click .
Configuring The LogScale Collector
Whether you are using a local configuration file, or have enrolled in fleet management, the configuration is the same.
The following is an example configuration file for collecting unified logs:
sources:
compact_log:
type: unifiedlog
format: compact
include:
- process: sudo
- process: logind
parser: "apple/unifiedlog:unifiedlog-compact"
sink: logscale
json_log:
type: unifiedlog
format: json
include:
- process: securityd
predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
parser: "apple/unifiedlog:unifiedlog-json"
sink: logscale
sinks:
logscale:
type: humio
token: <ingest-token>
url: <logscale-base-url> // example - https://cloud.community.humio.com
The logs can be formatted in two styles;
compact and json.
compact, as specified by its name, is
compact and uses less storage, while the other style,
json, is more comprehensive.
The configuration is complete when you have deployed and configured the Falcon LogScale Collector with a configuration such as that shown below, inserting the ingest token and your LogScale URL.
See Sources & Examples for more information on the configuration and the LogScale Collector.