Mac unified log collection options

It’s important for any business with more than a handful of computers to centrally collect security logs. Using a SIEM, situational awareness is greatly improved via event correlation and automated alerts.

Apple provides a command line tool and an API to extract event logs. For those businesses that prefer commercial software, JAMF Protect sends MacOS events in JSON format to a SIEM. From what I can surmise from its website, the least expensive JAMF option that offers telemetry is Protect High Compliance, which does not send data to the cloud. Another commercial option is NXLog.

An open source option to collect Mac security events is Wazuh, a SIEM and XDR tool. Its agent uses the command line log tool to extract macOS log data.

For a MacMaven client that needs to abide by NIST 800-171 requirements, I devised a technique that also uses the log tool to extract security events. It feeds the output of log into Filebeat and Elasticsearch. This was an ideal solution for my client, as all components are open source (no recurring fees!) and we’re in complete control over the configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *