Getting Data In

How to configure syslogd under OSX to send all user logon events via AFS and SMB to syslog

helpdeskinc
New Member

Hi,
new here and to splunk - i'm hoping to use splunk to help audit security events under OS X server (running 10.7.4) for both Apple File Server events and SMB server events.

I've got splunk running fine and have the OS X server's syslogd forwarding, in theory, all events to splunk via adding this to syslog.conf and bouncing syslogd after:
. @{my.server.ip.address}

splunk is happily consuming data from the OS X server, but when I make some AFP or SMB connections to it, I don't see anything show up.

Any ideas? I can see some historical events of these tyoes in the system.log viewer in the Console, but my test events don't show up there either.

thank you for any help!
-a

0 Karma

MarioM
Motivator

it should be all in /var/log or /Library/Logs and if you enabled logging in file sharing it should be there /Library/Logs/AppleFileService/AppleFileServiceAccess.log

0 Karma

MarioM
Motivator

then if this answered you question please accept the answer for those having similar question.Thanks.

0 Karma

helpdeskinc
New Member

ok, so setting the activityLog key to true has made it send some info for AFS into the system log. thanks for that, MarioM. There are some options in that prefs file that imply that it should log file/folder actions but I don't see any being logged.

0 Karma

MarioM
Motivator

But really this a question for Apple forums as if there is no data available anywhere then there is nothing that splunk can do

0 Karma

MarioM
Motivator

or this:
to enable AFP logging you have to open with root privileges

/Library/Preferences/com.apple.AppleFileServer.plist

and set

activityLog

to

0 Karma

MarioM
Motivator

have you try that to enable looging?
-Open NetInfo Manager (found in the Applications/Utilities folder).
-In NetInfo Manager, choose /config/AppleFileServer.
-Choose the "activity_log" property. Change its value from "0" to "1".
-Choose "Save" from the NetInfo Manager "Domain" menu.
-Stop and restart File Sharing in System Prefs.
-Find your log in /Library/Logs/ApplefileService/AppleFileServiceAccess.log

0 Karma

helpdeskinc
New Member

you would think so, no?

so here is where it gets hinky. in OS X 10.7 Server, Apple has removed the log settings from the file sharing UI and it looks like nothing is getting logged into the AFS log, nor is there an SMBd log that I can see.

so, the original question is where I'm still at. how to configure syslogd to be grabbing these events and sending them out to splunk. as I said before, some AFS events have shown up in the system.log but my test connections haven't. and, how can we enable the AFS/SMB logging when it seems like Apple has taken away those knobs and dials?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...