Forum Discussion

Copper Contributor

Jun 16, 2020

Solved

Mac OS Logs

With no Agent readily available for Mac OS devices has anyone been able to onboard any logs into Azure Sentinel by Syslog or any other method?

Log Data

Rod_Trent
Jun 17, 2020
arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.

https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs

You will still need to do some post-ingestion parsing, though.

Ofer_Shezaf

Microsoft

Jun 22, 2020

arran1580 : MacOS natively supports syslog. You can find instructions on how to forward it here.

arran1580

Copper Contributor

Jun 22, 2020

Ofer_Shezafthanks for providing the information around syslog for Mac.

Syslog was originally how I was planning to get the logs integrated with Azure Sentinel however, I've read many forms and websites stating that functionality of syslog for multiple OS is broken due to System Integrity Protection (SIP) in Mac OS X 10.11 onwards. Some know examples of Mac OS X which are reported to have a lot of issues with Syslog include Sierra and High Sierra.