Once you install the UF, you can use this simplistic script I wrote that pulls the logs I needed. It just uses the "log show" command to dump the logs and then greps out the stuff in the include file. Note: "log show" requires admin.
My answer here has a tar file that contains the script.
https://answers.splunk.com/answers/547865/mac-os-x-sierra-how-to-get-all-logs-from-the-unifi.html
#!/bin/bash
# Usage: ./mac_log_monitor.sh
# Runs the Macintosh log show command to get Macintosh user logs from START_DATE to END_DATE.
DATE_PATH=$SPLUNK_DB/persistentstorage/uf_macintosh # Setup the date file.
DATE_FILE=$SPLUNK_DB/persistentstorage/uf_macintosh/last_run_date.txt # Setup the date file.
if [ ! -e "$DATE_FILE" ] # Does the date file exist.
then # No. date file does not exist.
if [ ! -e "$DATE_PATH" ]
then
mkdir $DATE_PATH
fi
date -v -1w +"%F %T" > $DATE_FILE # Set start date to -1 week to get old logs. Redeploying overwrites this.
fi
START_DATE=`cat $DATE_FILE` # Set start date for log reading.
date +"%F %T" > $DATE_FILE # Set new start date for next run.
END_DATE=`cat $DATE_FILE` # Set end date for log reading.
# File with keywords to grep from logs.
INCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/include.conf
# File with keywords to exclude from logs.
EXCLUDE=$SPLUNK_ETC/apps/uf_macintosh/local/exclude.conf
# Macintosh log command. Need to figure out predicaate so we can pull the logs we need instead of everything.
#log show --predicate [] --style syslog --start [] --end [] --info --last []
# Should really have an if to check for the existance of include/exclude
log show --style syslog --start "$START_DATE" --end "$END_DATE" | egrep -f $INCLUDE | egrep -vf $EXCLUDE
... View more