Getting Data In

Indexing macOS Sierra auditable events

eredux
Explorer

Has anyone had any luck collecting the following events in macOS Sierra 10.12? How did you do it? PLEASE. One tech has suggested syslog be configured to forward to receiver but I am unable to collect much of what my employer is expecting from our Macintosh machines running the Forwarder in 10.12. And I have seen an Apple Radar that supports my findings here:

Apple report
Number: rdar://30164382
Date Originated: 24.1.2017

With new log subsystem introduced in 10.12 Sierra it is no longer possible to send log messages to remote syslog server. In previous versions of macOS it was possible possible to configure syslog via /etc/syslog.conf config file to send logs to remote servers. In 10.12 syslog is still place but it's missing content since it was moved to new log subsystem.

Expected Results: Ability to configure log system to send log messages to remote syslog or syslog-ng server. Actual Results: There is no way to configure logd to send messages to remote syslog server. Version: 10.12

My Audit Need for macOS Sierra servers and clients
We need to collect the following, and I am not having any luck with syslog. Any help would greatly be appreciated, I am thinking scripted inputs now, but would REALLY appreciate seeing some examples for further guidance. I have spent way too much time on this and some Splunk techs mention Splunk is not supported in macOS Sierra 10.12.

My employer is expecting me to collect these from my macOS Sierra 10.12 clients and servers:
Policy Security Setting
Audit account logon events -> Success, Failure
Audit account management ->Success, Failure
Audit directory service access ->Failure
Audit logon events ->Success, Failure
Audit object access ->Failure
Audit policy change ->Success
Audit privilege use ->Failure
Audit process tracking ->No Auditing
Audit system events ->Success

Please share with me how you collected this data

eredux
Explorer

The logs are in a binary format by nature and Splunk will not natively decipher, I have put a great deal of effort into a solution - now awaiting approval(s) from various departments... will post once blessed

cchacon
Explorer

Is there any update on this?

Splunk has not been able to log Mac for the last 2 years since this Unified Logging system was introduced. If we cannot use the Splunk forwarder, is there a script solution you have found?

0 Karma

eredux
Explorer

An old colleague has found in the local forwarder's splunkd logs where the local forwarder ignores these binary /var/audit files.. which makes Splunk incompatible with addressing https://nvd.nist.gov/800-53/Rev4/control/AU-2

12-14-2017 18:47:21.990 -0500 INFO TailReader - Ignoring file '/var/audit/20170717192838.crash_recovery' due to: binary
12-14-2017 18:47:21.991 -0500 WARN FileClassifierManager - The file '/var/audit/20170718220651.crash_recovery' is invalid. Reason: binary
12-14-2017 18:47:21.991 -0500 INFO TailReader - Ignoring file '/var/audit/20170718220651.crash_recovery' due to: binary

0 Karma

ccrowder_splunk
Splunk Employee
Splunk Employee

@eredux is there a reason you cannot explicitly define the local/inputs.conf to monitor the files you want?

E.G., rather than trying to monitor all of /var/* files and choking on the binary files, explicitly monitor the *.log files desired?

##  Audit
[monitor:///var/log/audit.log*]
index = myauditindex

[monitor:///var/log/messages.log*]
index = myauditindex
sourcetype = myauditsourcetype
0 Karma

eredux
Explorer

when I RSYNCed the log file to the server I had success with using this to parse my files: https://splunkbase.splunk.com/app/847/

Solaris BSM Audit log loader

This RSYNC AUDIT log solution is NOT a solution, I am missing data. Apple Unified logs using show is more practical but I am looking to Splunk to do this... If anyone at Splunk is reading this please help, my salesman told me this would work... Please help me

0 Karma

woodcock
Esteemed Legend

Can you not just install a Splunk Forwarder and use this app?
https://splunkbase.splunk.com/app/2642/

0 Karma

eredux
Explorer

My Splunk 6.6.3 environment is running on Sierra... Enterprise and the forwarding clients both, all Macintosh. I have configured the forwarder client, polling and I can see the forwarder on the enterprise server in the Forwarders: Deployment listing but the client forwarder does not forward /var/audit logs to the server.... seems to me it should, my friends have had me check firewalls... this should work, right?

I might add syslogging inputs seem to work but not the /var/audit logs I need

I have gone as far as to set up scripts that dump the current praudit data and hand deliver by RSYNC to the Splunk server but that is not working, I am missing data and it is not the best solution... this is driving me mad!!!!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...