NXLog User Guide

35. Apple macOS

NXLog can collect various types of system logs on the macOS platform. For deployment details, see the supported macOS platforms and macOS installation.

Apple System Logs Files

The im_file and xm_asl modules can be used to collect and parse Apple System Log (*.asl) files.

Example 175. Reading and Parsing Apple System Logs

This example reads events from input.asl and parses them with the xm_asl parser.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11

  <Extension asl_parser>
    Module  xm_asl
</Extension>

<Input in>
    Module      im_file
    # Example: "/var/log/asl/*"
    File        "foo/input.asl"
    InputType   asl_parser
    Exec        delete($EventReceivedTime);
</Input>

Basic Security Mode (BSM) Auditing

The im_bsm module collects logs directly from the BSM auditing system.

Example 176. Collecting BSM Audit Logs From the Kernel

This configuration reads BSM audit logs directly from the kernel with the im_bsm module.

nxlog.conf


  1
2
3
4
5
6

  Group   wheel

<Input bsm>
    Module  im_bsm
    File    /dev/auditpipe
</Input>

Alternatively, BSM logs can be read from the log files.

Example 177. Reading BSM Audit Logs From File

This configuration reads from the BSM audit log files with im_file and parses the events with xm_bsm.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11

  Group   wheel

<Extension bsm_parser>
    Module      xm_bsm
</Extension>

<Input bsm>
    Module      im_file
    File        '/var/audit/*'
    InputType   bsm_parser
</Input>

Custom Programs

The im_exec module allows log data to be collected from custom external programs.

Example 178. Using an External Command

This example uses the tail command to read from a file.

Note	The im_file module should be used to read log messages from files. This example only demonstrates the use of the im_exec module.

nxlog.conf


  1
2
3
4
5
6

  <Input systemlog>
    Module  im_exec
    Command /usr/bin/tail
    Arg     -f
    Arg     /var/log/system.log
</Input>

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity Monitoring.

Example 179. Monitoring File Integrity

This configuration watches for changes to files and directories under /bin and /usr/bin/.

nxlog.conf


  1
2
3
4
5
6
7

  <Input fim>
    Module          im_fim
    File            "/bin/*"
    File            "/usr/bin/*"
    ScanInterval    3600
    Recursive       TRUE
</Input>

Kernel

Logs from the kernel can be collected directly with the im_kernel module. This requires disabling syslogd. Alternatively, kernel logs can be collected via the local log file with im_file; see Local Syslog below.

Example 180. Collecting Kernel Logs Directly

This configuration uses the im_kernel module to read events directly from the kernel (via /dev/klog). This requires that syslogd be disabled as follows:

Unload the daemon.

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

Rename plist to keep syslogd from starting again at the next reboot.

$ sudo mv /System/Library/LaunchDaemons/com.apple.syslogd.plist \
  /System/Library/LaunchDaemons/com.apple.syslogd.plist.disabled

nxlog.conf


  1
2
3
4
5
6
7
8

  <Extension _syslog>
    Module  xm_syslog
</Extension>

<Input kernel>
    Module  im_kernel
    Exec    parse_syslog_bsd();
</Input>

Newer versions of Apple macOS use ULS (Unified Logging System) with SIP (System Integrity Protection) and users are unable to easily disable syslogd while keeping SIP enabled. For this setup, you can leverage the im_exec module to collect from /usr/bin/log stream --style=json --type=log.

Example 181. Collecting ULS Kernel Logs from /usr/bin/log

This configuration uses the im_exec module to read events from the kernel (via /usr/bin/log) and parses the data with the xm_json module.

nxlog.conf


  1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

  <Extension json>
    Module      xm_json
</Extension>

<Extension multiline>
    Module      xm_multiline
    HeaderLine  /^\[{|^},{/
</Extension>

<Input in>
    Module      im_exec
    Command     /usr/bin/log
    Arg         stream
    Arg         --style=json
    Arg         --type=log
    InputType   multiline
    <Exec>
        $raw_event =~ s/^\[{|^},{/{/;
        $raw_event =~ s/\}]$//;
        $raw_event = $raw_event + "\n}";
        parse_json();
    </Exec>
</Input>

Local Syslog

Events written to file in Syslog format can be collected with im_file. The xm_syslog module can be used to parse the events. See the Syslog section for more information.

Example 182. Reading Syslog Messages From File

This configuration file collects system logs from /var/log/system.log. This method does not read from /dev/klog directly, so it is not necessary to disable syslogd.

nxlog.conf


  1
2
3
4
5
6
7
8
9

  <Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in>
    Module  im_file
    File    "/var/log/system.log"
    Exec    parse_syslog();
</Input>

Log Files

The im_file module can be used to collect events from log files.

Example 183. Reading From Log Files

This configuration uses the im_file module to read events from the specified log file.

nxlog.conf


  1
2
3
4

  <Input in>
    Module  im_file
    File    "/foo/in.log"
</Input>

Process Accounting

The im_acct module can be used to gather details about who runs what processes.

Example 184. Reading Process Accounting Logs

With this configuration file, NXLog will enable process accounting to the specified file and reads events from it.

nxlog.conf


  1
2
3
4
5
6
7

  Group   wheel

<Input acct>
    Module  im_acct
    File    '/var/log/acct'
    AcctOn  TRUE
</Input>