Mac security log collection

In corporate environments, the collection and analysis of security logs isn’t just best practice. It’s often a compliance requirement. As with most business solutions, there are server and client components for log collection. The client software reads the security log generated by the operating system. The server ingests the logs sent by the clients. Additional server-side software provides search, analysis, and reporting functionality.

MacMaven Consulting recently implemented an open source solution for Mac security log collection. Before turning to FOSS software, I looked at a couple of commercial options for collecting logs on the Mac. One solution was pricey for the given functionality. The other solution was very reasonably priced. Unfortunately it was only sold with the vendor’s MDM product, which greatly increased the required outlay.

I took this as a challenge to find open source software that would solve the problem with minimal customization. Elasticsearch 8 and Filebeat met the need, along with Kibana for searching and reporting. The solution ingests macOS security events in JSON format, in real time. A short shell script was written to kick off the logging and Filebeat processes. This script is run at boot time using a macOS launch daemon.

I don’t want to downplay the level of effort involved in this project. Setting up Elasticsearch, Kibana, and Metricbeat (for stack monitoring) with proper security permissions and custom SSL certificates was time consuming. There was additional client-side work to create a logging command that would output the required security data, and nothing more. Without an efficient logging command, macOS outputs a firehose of log data.

The Elasticsearch solution is flexible and industrial-strength. The next step of this project will be to add Winlogbeat for collecting security events for the PCs in the office.

Leave a Reply

Your email address will not be published. Required fields are marked *