Ask the Community
Groups
Event Log Monitoring for macOS - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="learn-about-and-configure-event-log-monitoring-for-mac">Learn about and configure event log monitoring for Mac</h2> <h3 data-id="overview"><strong>Overview</strong></h3> <p>The RocketCyber Suspicious Event Log Monitor app is designed to collect desired log data from the Unified Event Log found in modern versions of macOS.</p> <h3 data-id="configuration"><strong>Configuration</strong></h3> <p> 1. From the dashboard in the MSP, Customer, or a Device context, click the <strong>Configure</strong> button on the <strong>Suspicious Event Monitor</strong> app card</p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/NO8DQLJDPCN8/screen-shot-2020-01-03-at-3-44-52-pm.png" alt="screen-shot-2020-01-03-at-3-44-52-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p> </p> <p> 2. This displays the app's configuration options. Next click on <strong>macOS<img src="https://us.v-cdn.net/6032361/uploads/migrated/PPZN0NRSP537/screen-shot-2020-01-03-at-3-47-47-pm.png" alt="screen-shot-2020-01-03-at-3-47-47-pm.png" class="embedImage-img importedEmbed-img"></img></strong></p> <figure></figure><p> 3. Here you can choose which events should be monitored and other configuration items. By default the agent will check for matching events every 5 minutes (300 seconds), this can be adjusted either up or down to the desired interval.</p> <h3 data-id="log-privacy"><strong>Log Privacy</strong></h3> <p>One of the key goals of the redesign of the macOS logging system to Unified Logging was to create a level of privacy so that potentially sensitive information such as IP addresses, user names, etc would be redacted from the general log view. As shown in the example below, the username is redacted and replaced with the tag <private></p> <pre data-content="cpp" class="code codeBlock" spellcheck="false" tabindex="0">Authentication failed for <private> with ODErrorCredentialsInvalid</pre> <p>By default, logs are set to private mode, and this information is stripped or redacted. This presents a challenge from the security standpoint when this data is required to perform investigations etc. Luckily there is the capability to turn this feature off.</p> <p>By default, the Event Log Monitor runs in privacy mode, meaning that potentially sensitive information will be masked or redacted in the logs. By switching the <strong>Log Privacy option</strong> to <strong>off this</strong> will configure the logs to record the potentially sensitive information and allow more robust investigations.</p> <div data-hs-callout-type="note"> <p>Turning off Log privacy will only affect log entries going forward, entries that were recorded in the past with privacy turned on will remain private.</p> </div> <h3 data-id="custom-events"><strong>Custom Events</strong></h3> <p>There is a default set of events that are defined that provide meaningful security incident alerts. Should you find the need to include additional log data you can add a Custom Event type by:</p> <p> 1. Click on <strong>Add a Custom Event.</strong></p> <figure><img src="https://us.v-cdn.net/6032361/uploads/migrated/D5KIMWWACBUT/screen-shot-2020-01-03-at-3-49-04-pm.png" alt="screen-shot-2020-01-03-at-3-49-04-pm.png" class="embedImage-img importedEmbed-img"></img></figure><p>The required fields for a custom event are displayed above.</p> <ul><li>Event ID - This is an identifier of your choice that will allow you to quickly recognize the events in reports and triage. They can be alpha or numeric but not contain spaces.</li> <li>Filter - This is the search filter for the log file in predicate syntax. Example:</li> </ul><pre class="code codeBlock" spellcheck="false" tabindex="0">subsystem = "com.apple.opendirectoryd"</pre> <p>The filter above will return all events for the <em>opendirectoryd</em> service</p> <ul><li>Description - This is a textual description of the event such as Failed authentication.</li> </ul><p>For more information on building predicate filters and syntax options see:</p> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdeveloper.apple.com%2Flibrary%2Farchive%2Fdocumentation%2FCocoa%2FConceptual%2FPredicates%2FArticles%2FpSyntax.html" rel="noopener nofollow">https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/Articles/pSyntax.html</a></p> </article> </main>