Jun 16 2020
03:31 PM
- last edited on
Jan 04 2022
12:24 PM
by
TechCommunityAP
Jun 16 2020
03:31 PM
- last edited on
Jan 04 2022
12:24 PM
by
TechCommunityAP
With no Agent readily available for Mac OS devices has anyone been able to onboard any logs into Azure Sentinel by Syslog or any other method?
Jun 17 2020 03:51 AM
Solution@arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.
https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs
You will still need to do some post-ingestion parsing, though.
Jun 19 2020 08:34 AM
@Rod_Trent thanks for providing this information. I will look further at Intune (Endpoint Manager) integration with Azure Sentinel.
Jun 22 2020 12:43 AM
@arran1580 : MacOS natively supports syslog. You can find instructions on how to forward it here.
Jun 22 2020 02:07 AM
@Ofer_Shezafthanks for providing the information around syslog for Mac.
Syslog was originally how I was planning to get the logs integrated with Azure Sentinel however, I've read many forms and websites stating that functionality of syslog for multiple OS is broken due to System Integrity Protection (SIP) in Mac OS X 10.11 onwards. Some know examples of Mac OS X which are reported to have a lot of issues with Syslog include Sierra and High Sierra.
Sep 03 2020 08:17 AM
@arran1580
You could look at CMDReporter. When testing out multiple SIEMS our MAC systems became a big sticking point based on how it now consolidates its logs into the Unified Logging system. CMDReporter was a cheap third party tool that would parse the data out of the unified logging system and dump it to a JSON file to send to the respective Log Correlation system of your choosing. Seemed to be the best way forward for us.
Jun 17 2020 03:51 AM
Solution@arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.
https://docs.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts#collect-device-logs
You will still need to do some post-ingestion parsing, though.