Forum Discussion
Mac OS Logs
With no Agent readily available for Mac OS devices has anyone been able to onboard any logs into Azure Sentinel by Syslog or any other method?
arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.
https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs
You will still need to do some post-ingestion parsing, though.
5 Replies
arran1580
You could look at CMDReporter. When testing out multiple SIEMS our MAC systems became a big sticking point based on how it now consolidates its logs into the Unified Logging system. CMDReporter was a cheap third party tool that would parse the data out of the unified logging system and dump it to a JSON file to send to the respective Log Correlation system of your choosing. Seemed to be the best way forward for us.- Ofer_Shezaf
Microsoft
Ofer_Shezafthanks for providing the information around syslog for Mac.
Syslog was originally how I was planning to get the logs integrated with Azure Sentinel however, I've read many forms and websites stating that functionality of syslog for multiple OS is broken due to System Integrity Protection (SIP) in Mac OS X 10.11 onwards. Some know examples of Mac OS X which are reported to have a lot of issues with Syslog include Sierra and High Sierra.
- Rod_Trent
arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.
https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs
You will still need to do some post-ingestion parsing, though.
