Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Mac OS Logs

Copper Contributor

With no Agent readily available for Mac OS devices has anyone been able to onboard any logs into Azure Sentinel by Syslog or any other method?

5 Replies
best response confirmed by arran1580 (Copper Contributor)
Solution

@arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.

 

https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs

 

You will still need to do some post-ingestion parsing, though.

@Rod_Trent thanks for providing this information. I will look further at Intune (Endpoint Manager) integration with Azure Sentinel.

@arran1580 : MacOS natively supports syslog. You can find instructions on how to forward it here.

@Ofer_Shezafthanks for providing the information around syslog for Mac.

Syslog was originally how I was planning to get the logs integrated with Azure Sentinel however, I've read many forms and websites stating that functionality of syslog for multiple OS is broken due to System Integrity Protection (SIP) in Mac OS X 10.11 onwards. Some know examples of Mac OS X which are reported to have a lot of issues with Syslog include Sierra and High Sierra.

@arran1580 
You could look at CMDReporter. When testing out multiple SIEMS our MAC systems became a big sticking point based on how it now consolidates its logs into the Unified Logging system. CMDReporter was a cheap third party tool that would parse the data out of the unified logging system and dump it to a JSON file to send to the respective Log Correlation system of your choosing. Seemed to be the best way forward for us.

1 best response

Accepted Solutions
best response confirmed by arran1580 (Copper Contributor)
Solution

@arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.

 

https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs

 

You will still need to do some post-ingestion parsing, though.

View solution in original post