beats
beats copied to clipboard
elastic
Support for MacOS Unified Logging
Describe the enhancement: Support for MacOS Unified Logging
Describe a specific use case for the enhancement or feature: Auditbeat doesn’t provide much valuable information because it is still pulling information from syslog, MacOS is deprecating use of syslog and has moved to Unified Logging. To my knowledge there is no Beat for MacOS that will track login, logout, lock, unlock, or sudo access. It is possible to create custom scripts to grab some (not all) of this info but a Beat would be much easier
Unified Logging is also mentioned on (closed) https://github.com/elastic/beats/issues/3109.
This has been needed for a long time, we should definitely prioritize this.
👍 for this. It is badly needed so you don't need to run a launchd just to dump the logs to disk for Filebeat to pick up.
I'm a little worried that this is going to languish, as we don't really have a "MacOS expert" and this is a MacOS api. @masci do you have any ideas for how to manage this?
It looks like there is an API since macOS 10.15. https://developer.apple.com/documentation/oslog
It would require cgo and objective-c to use the API.
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
While native MacOS Unified Logging support isn't currently supported or being worked on for Beats/Agent, there was a very popular tool called cmdReporter that people used to pull events from Unified Logging to send to a SIEM. That tool was acquired by Jamf and rebranded, but the good news is, we're about to ship an integration with Jamf Compliance Reporter to provide visibility into Mac events.
Relevant PR: https://github.com/elastic/integrations/pull/3210
While having the integration mentioned by @jamiehynds is great for those that use jamf, it doesn't help the rest of us that don't use that specific product.
So another vote for native support of ingesting security logs for macOS Unified Logging.
Thanks for the feedback @defensivedepth - we're currently assessing some options to natively supported for Unified Logging. Could you share more information on your use case for the Unified Logs - e.g. are you mainly interested in process and authentication events, or any other event types you're interested in monitoring?
Process & auth events are definitely on my list. Also (may overlap with above):
- Gatekeeper events
- Xprotect events
- Apple script events
- sudo, logons, opendirectory events
Some other interesting events (from https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/):
| Predicate | Description |
|---|---|
| process == “sudo” | Captures command line activity run with elevated privileges |
| process == “logind” | Captures user login events |
| process == “tccd” | Captures events that indicate permissions and access violations |
| process == “sshd” | Captures successful, failed and general ssh activity |
| process == “kextd” && sender == “IOKit” | Captures successful and failed attempts to add kernel extensions |
| process == “screensharingd || process == “ScreensharingAgent”’ | Captures events that indicate successful or failed authentication via screen sharing |
| process == “loginwindow” && sender == “Security” | Captures keychain.db unlock events |
| process == “securityd” && eventMessage CONTAINS “Session ” && subsystem == “com.apple.securityd” | Captures session creation and destruction events |