Jun 16 2020 03:31 PM
Jun 17 2020 03:51 AMSolution
@arran1580 If you're using Intune (Endpoint Manager) to manage the Mac devices, you can do the following and then setup custom log ingestion into the Log Analytics workspace for Sentinel.
You will still need to do some post-ingestion parsing, though.
Jun 22 2020 02:07 AM
@Ofer_Shezafthanks for providing the information around syslog for Mac.
Syslog was originally how I was planning to get the logs integrated with Azure Sentinel however, I've read many forms and websites stating that functionality of syslog for multiple OS is broken due to System Integrity Protection (SIP) in Mac OS X 10.11 onwards. Some know examples of Mac OS X which are reported to have a lot of issues with Syslog include Sierra and High Sierra.
Sep 03 2020 08:17 AM
You could look at CMDReporter. When testing out multiple SIEMS our MAC systems became a big sticking point based on how it now consolidates its logs into the Unified Logging system. CMDReporter was a cheap third party tool that would parse the data out of the unified logging system and dump it to a JSON file to send to the respective Log Correlation system of your choosing. Seemed to be the best way forward for us.