-
Notifications
You must be signed in to change notification settings - Fork 26
Unified Log Filtering
The Unified Logging system available in macOS 10.12 or later provides a central location to store log data on the Mac. The Console and Terminal apps allow users to view, stream, and filter this data on computers to manually troubleshoot errors or detect threats.
With Jamf Protect, you can use the same predicate-based filter criteria that are often used with the log command to collect relevant log entries from computers and send them to a security information and event management (SIEM) solution or a third party storage solution (e.g., AWS).
Important Requirement: To collect unified log filter data with Jamf Protect, you must do one of the following:
- Integrate Jamf Protect with a security information and events management (SIEM) solution.
- Enable data forwarding to a third party storage solution
More information on this feature can be found here.
Within this repository are many predicate filters that can be used to stream telemetry on a variety of events across macOS. Filters are available for macOS user, system and network activity, as well as from third-party applications including Jamf Connect and Jamf Pro.
The process for implementing these filters in Jamf Protect is straight forward:
- Ensure you are able to meet one of the above two requirements for using this feature
- Copy the predicate from the Unified Log Filter object in this repository
- Create a new Filter object in Jamf Protect (Unified Logging > Add New Filter) and paste the predicate in the Filter field
- Add a name and tags as desired
Filtering data from the macOS Unified Log can result in verbose data depending on the predicate used so it is recommended to first test to ensure they provide the data you're seeking. The easiest method for testing a Unified Log Filter to see the expected resulting data is to use the predicate with the Log command in Terminal, afterwards triggering the behaviour you're monitoring for on the same device.
For example, this is the predicate for the FailedSudoAccessPasswordAttempts Unified Log Filter in this repository:
process == "sudo" AND eventMessage CONTAINS[c] "TTY" AND eventMessage CONTAINS[c] "3 incorrect password attempts"
We can easily test the results of this predicate by:
- Open the Terminal app and use the
Logbinary to filter the macOS Unified Log with this predicate by executing this command:
log stream --predicate 'process == "sudo" AND eventMessage CONTAINS[c] "TTY" AND eventMessage CONTAINS[c] "3 incorrect password attempts"'
- Open a second window of Terminal (command + n key) and type this command:
sudo whoami
- Enter an incorrect password when prompted three times in Terminal
Afterwards, in the original Terminal window you should see an output from your Log command such as:
2021-09-27 XX:XX:XX.XXXXXX+XXXX 0xXXXXc Default 0x0 XXXXX 0 sudo: your-username : 3 incorrect password attempts ; TTY=ttys003 ; PWD=/Users/your-username ; USER=root ; COMMAND=/usr/bin/whoami
This information (and some additional data from Jamf Protect) is what you can expect to see in your SIEM or Data Forwarding service should you enable this same Unified Log Filter in Jamf Protect on your endpoints.
By default the Unified Log will redact information deemed to be sensitive, generally that which will identify a computer or user. In some cases, such as that in which the computer is a corporately owned and managed device, there may be a need to ascertain such information and as such, private data logging can be enabled through a configuration profile. See this Jamf blog for instructions on doing so.
Data from the Unified Log that has been redacted can be identified by the presence of <private> in the returned log entry. An example entry in the Unified Log for a password change where the data has been redacted would be:
Password changed for <private>
The same string returned on a device with private data logging enabled would be:
Password changed for your-username