add monitor "Mountain Lion Security Logs"

sterling_edmund · ‎02-27-2013

How would you log the new Apple Security Logs in Mountain Lion 10.8. Thanks

jbsplunk · ‎02-27-2013

In 10.8, data is logged to asl(syslog) instead of secure.log, so it would be something like this:

./splunk add monitor /var/log/asl

jbsplunk · ‎02-28-2013

I just checked mine, and the data appears to be binary. So Splunk isn't going to read it. You could send NO_BINARY_CHECK to process the files using props.conf though.

sterling_edmund · ‎02-28-2013

0/s:key
118660/s:key
/var/log/asl/s:key
0.00/s:key
unreadable file type/s:key
/s:dict
/s:key

sterling_edmund · ‎02-28-2013

checking thanks

jbsplunk · ‎02-28-2013

From $SPLUNK_HOME/bin you can run 'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus > output' and then search output for the files in ASL, it'll tell you why they're ignored or if they've been read.

sterling_edmund · ‎02-28-2013

Still does not read the asl files - wip - thanks

add monitor "Mountain Lion Security Logs"

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!