Log Analysis cannot parse OSX logs #4572
Comments
|
Hi @cliftyman, If I've understood right, this issue does not —mainly— affect log analysis (Ubuntu LTS) but log collection (macOS 10.12+). Just as you mentioned, macOS Sierra and newer use the Unified Logging system, that stores the logs on a database instead of plain-text logs, and it's accessible via API Logging documentation. I'm not an expert in any Apple's framework, but I think we would need to use the Objective-C language. The agent is written in C so this would require translating some components. Anyway, log collection is a key feature that the agent should support on every platform. Let us discuss this issue with the team, and fit it in the roadmap. Thank you for opening this issue and giving us feedback. Best regards. |
Related mailing list thread |
|
I am looking into doing this as well. Is there any update or further information on this yet? |
|
Dang Apple. Has anyone had a chance to look into this? |
|
I'm afraid this issue is still in the icebox as we've not been able to schedule it. The enhancement, while necessary, requires a profound change to Logcollector and the agent build process. Hope to develop this soon, but I cannot give a deadline yet. Best regards. |
|3.1x|Log Analysis|Ubuntu LTS|
Preface: This issue is more related to the nature of the Mac logging structure....Due to the nature of OSX and the Mac Unified Logger... critical authentication events, installer events, etc. are not written to text logs using syslogd/resident on the local file system in areas Log Analysis can parse. Unified Logger has its own database of events and the Console App and Log CLI command are use to poll DB for select log events.
Due to the above functionality I've found no way to make Log Analysis create alerts for critical security events as it does on Windows and Linux operating systems.
The text was updated successfully, but these errors were encountered: