how to configure macos to forward logs to eventtracker
TRANSCRIPT
© Copyright Netsurion. All Rights Reserved. 1
How-To Guide
Configuring macOS to Forward Logs to
EventTracker
EventTracker v9.3 and above
Publication Date:
December 15, 2021
© Copyright Netsurion. All Rights Reserved. 2
Abstract This guide provides instructions to configure macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) to
generate and forward logs for critical events. After EventTracker is configured to collect and parse these logs,
dashboard, and reports can be configured to monitor macOS.
Scope
The configuration details in this guide are consistent with EventTracker version v9.3 or above, and macOS.
Audience
The Administrators who are assigned the task to monitor macOS events using EventTracker.
© Copyright Netsurion. All Rights Reserved. 3
Table of Contents Table of Contents 3
1. Overview 4
2. Prerequisites 4
3. Configuring macOS to Forward Logs to EventTracker 4
3.1 Configuring macOS to Forward Logs to a Syslog Server 4
3.2 Configuring ETSmacOSLogForwarder manually on the Client Machine 7
3.2.1 GUI Installation 7
3.2.2 Command line Installation 9
3.3 Configuring ETSmacOSLogForwarder using the Munki Package Manager 9
3.4 Verifying ETSmacOSLogForwarder Installation 10
3.5 ETSmacOSLogForwarder Uninstallation 11
About Netsurion 12
© Copyright Netsurion. All Rights Reserved. 4
1. Overview Apple Macintosh Operating System (macOS) contains numerous log files (events) sent by various system
processes and applications. These logs can be forwarded to the syslog server.
With EventTracker, you can monitor the macOS events from a single view. EventTracker checks the status
and availability of macOS for critical processes and consolidates all the syslog.
EventTracker can generate the flex reports and can also trigger alerts whenever it detects any suspicious
activities. These alerts and flex reports will help you analyze login and logout activities, authentication
failure, and any kind of administrator activities.
2. Prerequisites ▪ macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) should be configured to forward the logs.
▪ Ensure the syslog port which is provided during the integration is open between macOS and perimeter
firewalls.
▪ It is strongly recommended to use TLS+TCP (syslog over TLS) based connection with EventTracker.
EventTracker syslog port should be configured for TLS. Please follow this guide. You can also use TCP or
UDP-based connection depending on your need.
▪ Add an exception for syslog port while integrating with firewall, (if exists in between) macOS and
EventTracker Manager.
3. Configuring macOS to Forward Logs to EventTracker Note: For installation and upgrade follow the below steps.
3.1 Configuring macOS to Forward Logs to a Syslog Server 1. Download the integrator package from the portal (https://www.netsurion.com/knowledge-
packs/macos)
2. Download the file on the macOS server machine where you want to create the package and push
the package to all the macOS systems.
3. Go to the Utility folder and open the Terminal.
4. Change the directory to where ETSmacOSLogForwarder is located.
5. Make sure the below file has executable permission.
ETSmacOSLogForwarder/ETSmacOSLogForwarder
© Copyright Netsurion. All Rights Reserved. 5
6. If the file is not executable, use the following commands to make it executable.
chmod a+x ETSmacOSLogForwarder/ETSmacOSLogForwarder
chmod a+x ETSmacOSLogForwarder/build/Scripts/postinstall
chmod a+x ETSmacOSLogForwarder/build/Scripts/preinstall
7. Click the ETSmacOSLogForwarder script in ETSmacOSLogForwarder.
A Terminal window opens.
8. Provide the EventTracker Manager Name/IP Address.
9. Provide the EventTracker Manager syslog port number.
10. Choose Protocol for syslog.
© Copyright Netsurion. All Rights Reserved. 6
Provide the protocol to be used for the syslog messages to forward. By default, the TLS+TCP protocol (syslog over TLS) will be configured. Ensure the TLS+TCP protocol is enabled on the EventTracker Manager.
Following is the enumeration for each protocol:
Protocol number Protocol
1 TLS+TCP (syslog over TLS)
2 TCP (Transmission control protocol)
3 UDP (User Datagram Protocol)
11. Provide the Tenant name.
Note: Tenant name should not contain any space.
12. After configuring, close the terminal window.
13. Check the ETSmacOSLogForwarder folder to ensure the ETSmacOSLogForwarder_<Tenant>.pkg file
is created.
© Copyright Netsurion. All Rights Reserved. 7
3.2 Configuring ETSmacOSLogForwarder manually on the Client Machine
3.2.1 GUI Installation
1. Copy the ETSmacOSLogForwarder_<Tenant>.pkg file to the client Mac machine.
2. Go to the Utility folder and open the Terminal.
3. Navigate to the directory where the ETSmacOSLogForwarder_<Tenant>.pkg file is located using
the cd command.
4. Click the ETSmacOSLogForwarder_<Tenant>.pkg file and proceed as shown in the following
images.
5. Click Continue.
6. Select your system disk to install software and click Continue.
© Copyright Netsurion. All Rights Reserved. 8
7. Click Install to install the software.
8. Provide the Admin Username and Password. Click Install Software.
© Copyright Netsurion. All Rights Reserved. 9
9. After installation is complete, click the Close button.
3.2.2 Command line Installation
1. Open the Terminal and go to the path containing the pkg file.
2. Run the following command using the admin privilege.
Sudo installer -pkg ETSmacOSLogForwarder_<Tenant>.pkg -target /
3.3 Configuring ETSmacOSLogForwarder using the Munki Package Manager If you have Munki package manager configured in your environment, use the following method to add
the package to the Munki repo.
1. Go to the Utility folder and open the Terminal.
2. Navigate to the directory where the ETSmacOSLogForwarder_<Tenant>.pkg file is located using the
cd command.
3. Enter the following command to import the package to the Munki repository.
Munkiimport ETSmacOSLogForwarder_<Tenant>.pkg
© Copyright Netsurion. All Rights Reserved. 10
4. Fill in the details as mentioned in the above image.
5. To create a client manifest for the ETSmacOSLogForwarder_<Tenant>.pkg package, enter the
command:
manifestutil
6. Add package in the manifest using the following command.
add-pkg ETSmacOSLogForwarder_<Tenant> –manifest site_default.
For installing and configuring the Munki repository navigate to the link:
https://github.com/munki/munki/wiki/Demonstration-Setup
3.4 Verifying ETSmacOSLogForwarder Installation
1. Open the Terminal and enter the following command to check if the following files were created.
sudo ls /etc/ETSmacOSLogForwarder/
sudo ls /var/log/ETSmacOSLogForwarder/
2. Check whether the ETSmacOSLogForwarder Service is loaded and running.
sudo launchctl list | grep ETSmacOSLogForwarder
© Copyright Netsurion. All Rights Reserved. 11
3.5 ETSmacOSLogForwarder Uninstallation
To uninstall the macOS log forwarder, run the following command in the terminal.
sudo sh /etc/ETSmacOSLogForwarder/ETSmacOSLogForwarderUninstaller
© Copyright Netsurion. All Rights Reserved. 12
About Netsurion
Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.
Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #23 among MSSP Alert’s 2021 Top 250 MSSPs.
Contact Us
Corporate Headquarters
Netsurion
Trade Centre South
100 W. Cypress Creek Rd
Suite 530
Fort Lauderdale, FL 33309
Contact Numbers
EventTracker Enterprise SOC: 877-333-1433 (Option 2)
EventTracker Enterprise for MSPs SOC: 877-333-1433 (Option 3)
EventTracker Essentials SOC: 877-333-1433 (Option 4)
EventTracker Software Support: 877-333-1433 (Option 5)
https://www.netsurion.com/eventtracker-support