how to configure macos to forward logs to eventtracker

© Copyright Netsurion. All Rights Reserved. 1

How-To Guide

Configuring macOS to Forward Logs to

EventTracker

EventTracker v9.3 and above

Publication Date:

December 15, 2021


Abstract This guide provides instructions to configure macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) to

generate and forward logs for critical events. After EventTracker is configured to collect and parse these logs,

dashboard, and reports can be configured to monitor macOS.

Scope

The configuration details in this guide are consistent with EventTracker version v9.3 or above, and macOS.

Audience

The Administrators who are assigned the task to monitor macOS events using EventTracker.


Table of Contents Table of Contents 3

1. Overview 4

2. Prerequisites 4

3. Configuring macOS to Forward Logs to EventTracker 4

3.1 Configuring macOS to Forward Logs to a Syslog Server 4

3.2 Configuring ETSmacOSLogForwarder manually on the Client Machine 7

3.2.1 GUI Installation 7

3.2.2 Command line Installation 9

3.3 Configuring ETSmacOSLogForwarder using the Munki Package Manager 9

3.4 Verifying ETSmacOSLogForwarder Installation 10

3.5 ETSmacOSLogForwarder Uninstallation 11

About Netsurion 12


1. Overview Apple Macintosh Operating System (macOS) contains numerous log files (events) sent by various system

processes and applications. These logs can be forwarded to the syslog server.

With EventTracker, you can monitor the macOS events from a single view. EventTracker checks the status

and availability of macOS for critical processes and consolidates all the syslog.

EventTracker can generate the flex reports and can also trigger alerts whenever it detects any suspicious

activities. These alerts and flex reports will help you analyze login and logout activities, authentication

failure, and any kind of administrator activities.

2. Prerequisites ▪ macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) should be configured to forward the logs.

▪ Ensure the syslog port which is provided during the integration is open between macOS and perimeter

firewalls.

▪ It is strongly recommended to use TLS+TCP (syslog over TLS) based connection with EventTracker.

EventTracker syslog port should be configured for TLS. Please follow this guide. You can also use TCP or

UDP-based connection depending on your need.

▪ Add an exception for syslog port while integrating with firewall, (if exists in between) macOS and

EventTracker Manager.

3. Configuring macOS to Forward Logs to EventTracker Note: For installation and upgrade follow the below steps.

3.1 Configuring macOS to Forward Logs to a Syslog Server 1. Download the integrator package from the portal (https://www.netsurion.com/knowledge-

packs/macos)

2. Download the file on the macOS server machine where you want to create the package and push

the package to all the macOS systems.

3. Go to the Utility folder and open the Terminal.

4. Change the directory to where ETSmacOSLogForwarder is located.

5. Make sure the below file has executable permission.

ETSmacOSLogForwarder/ETSmacOSLogForwarder

https://www.netsurion.com/Corporate/media/Corporate/Files/Support-Docs/Syslog-over-TLS-Configuration-Guide.pdf

https://www.netsurion.com/knowledge-packs/macos

https://www.netsurion.com/knowledge-packs/macos


6. If the file is not executable, use the following commands to make it executable.

chmod a+x ETSmacOSLogForwarder/ETSmacOSLogForwarder

chmod a+x ETSmacOSLogForwarder/build/Scripts/postinstall

chmod a+x ETSmacOSLogForwarder/build/Scripts/preinstall

7. Click the ETSmacOSLogForwarder script in ETSmacOSLogForwarder.

A Terminal window opens.

8. Provide the EventTracker Manager Name/IP Address.

9. Provide the EventTracker Manager syslog port number.

10. Choose Protocol for syslog.


Provide the protocol to be used for the syslog messages to forward. By default, the TLS+TCP protocol (syslog over TLS) will be configured. Ensure the TLS+TCP protocol is enabled on the EventTracker Manager.

Following is the enumeration for each protocol:

Protocol number Protocol

1 TLS+TCP (syslog over TLS)

2 TCP (Transmission control protocol)

3 UDP (User Datagram Protocol)

11. Provide the Tenant name.

Note: Tenant name should not contain any space.

12. After configuring, close the terminal window.

13. Check the ETSmacOSLogForwarder folder to ensure the ETSmacOSLogForwarder_<Tenant>.pkg file

is created.


3.2 Configuring ETSmacOSLogForwarder manually on the Client Machine

3.2.1 GUI Installation

1. Copy the ETSmacOSLogForwarder_<Tenant>.pkg file to the client Mac machine.


3. Navigate to the directory where the ETSmacOSLogForwarder_<Tenant>.pkg file is located using

the cd command.

4. Click the ETSmacOSLogForwarder_<Tenant>.pkg file and proceed as shown in the following

images.

5. Click Continue.

6. Select your system disk to install software and click Continue.


7. Click Install to install the software.

8. Provide the Admin Username and Password. Click Install Software.


9. After installation is complete, click the Close button.

3.2.2 Command line Installation

1. Open the Terminal and go to the path containing the pkg file.

2. Run the following command using the admin privilege.

Sudo installer -pkg ETSmacOSLogForwarder_<Tenant>.pkg -target /

3.3 Configuring ETSmacOSLogForwarder using the Munki Package Manager If you have Munki package manager configured in your environment, use the following method to add

the package to the Munki repo.


2. Navigate to the directory where the ETSmacOSLogForwarder_<Tenant>.pkg file is located using the

cd command.

3. Enter the following command to import the package to the Munki repository.

Munkiimport ETSmacOSLogForwarder_<Tenant>.pkg


4. Fill in the details as mentioned in the above image.

5. To create a client manifest for the ETSmacOSLogForwarder_<Tenant>.pkg package, enter the

command:

manifestutil

6. Add package in the manifest using the following command.

add-pkg ETSmacOSLogForwarder_<Tenant> –manifest site_default.

For installing and configuring the Munki repository navigate to the link:

https://github.com/munki/munki/wiki/Demonstration-Setup

3.4 Verifying ETSmacOSLogForwarder Installation

1. Open the Terminal and enter the following command to check if the following files were created.

sudo ls /etc/ETSmacOSLogForwarder/

sudo ls /var/log/ETSmacOSLogForwarder/

2. Check whether the ETSmacOSLogForwarder Service is loaded and running.

sudo launchctl list | grep ETSmacOSLogForwarder

https://github.com/munki/munki/wiki/Demonstration-Setup


3.5 ETSmacOSLogForwarder Uninstallation

To uninstall the macOS log forwarder, run the following command in the terminal.

sudo sh /etc/ETSmacOSLogForwarder/ETSmacOSLogForwarderUninstaller


About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.

Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #23 among MSSP Alert’s 2021 Top 250 MSSPs.

Contact Us

Corporate Headquarters

Netsurion

Trade Centre South

100 W. Cypress Creek Rd

Suite 530

Fort Lauderdale, FL 33309

Contact Numbers

EventTracker Enterprise SOC: 877-333-1433 (Option 2)

EventTracker Enterprise for MSPs SOC: 877-333-1433 (Option 3)

EventTracker Essentials SOC: 877-333-1433 (Option 4)

EventTracker Software Support: 877-333-1433 (Option 5)

https://www.netsurion.com/eventtracker-support

https://www.netsurion.com/managed-threat-protection

https://www.netsurion.com/secure-edge-networking

https://www.netsurion.com/

https://twitter.com/netsurion

https://www.linkedin.com/company/netsurion/

https://www.netsurion.com/news/netsurion-named-2021-mssp-alerts-top-250-mssps-list

https://www.netsurion.com/eventtracker-support

how to configure macos to forward logs to eventtracker

Documents