Event Log Monitoring for macOS
The suspicious event log monitor app now supports macOS devices. Since macOS 10.12 Apple has completely redesigned the logging interface on mac and moved away from typical linux style text files to the Unified Event Log architecture.
The RocketCyber Supsicious Event Log Monitor app is designed to collect desired log data from the Unified Event Log found in modern versions of macOS.
From the dashboard either in the MSP context, Customer context or a Device Context, click the Configure button on the Suspcious Event Monitor App Card
This displays the apps configuration options. Next click on macOS to display the specific configuration options for the Apple Mac platform
Here you can choose which events should be monitored and other configuration items. By default the agent will check for matching events every 5 minutes (300 seconds), this can be adjusted either up or down to the desired interval.
One of the key goals of the redesign of the macOS logging system to Unified Logging was to create a level of privacy so that potentially sensitive information such as ip addresses, user names etcs would be redacted from the general log view. As shown in the example below, the username is redacted and replaced with the tag <private>
Authentication failed for <private> with ODErrorCredentialsInvalid
By default, logs are set to private mode and this information is stripped or redacted. This presents a challenge from the sercurity standpoint when this data is required to perform investigations etc. Luckily there is the capability to turn this feature off.
By default, the event log monitor run in privacy mode, meaning that potentially sensitive information will be masked or redacted in the logs. By switching the Log Privacy option to off this will configure the logs to record the potentially sensitive information and allow more robust investigations. NOTE: Turning off Log privacy will only effect log entries going forward, entries that were recorded in the past with privacy turned on will remain private.
There is a default set of events that are defined that provide meaningfull security incident alerts. Should you find the need to include additional log data you can add a Custom Event type by clicking on Add a Custom Event.
The required fields for a custom event are displayed above.
- Event ID - This is an identifier of your choice that will allow you to quickly recognize the events in reports and triage. They can be alpha or numeric but not contain spaces.
- Filter - This is the search filter for the log file in predicate syntax. Example:
subsystem = "com.apple.opendirectoryd"
The filter above will return all events for the opendirectoryd service
- Description - This is a textual description of the event such as : Failed authentication.
For more information on building predicate filters and syntax options see: