macOS logging with NXLog Enterprise Edition
macOS has been, and continues to be, an important desktop operating system for creative roles across most organizations, from startups to multi-national corporations. Like Windows, it is supported by a common set of software vendors. Like Linux, it shares some common architectural design elements with early distributions of UNIX. While Linux and Windows may still dominate the enterprise server market, desktop logging plays an important role in security-conscious organizations. The main challenge that has prevented a more widespread adoption of macOS in such organizations is the lack of software solutions that can provide centralized collection of macOS security logs. Until now.
- OS X — Syslog-style logging
OS X 10.11 (El Capitan) was the last major release to use the legacy OS X logging facility comprised primarily of separate, mostly disconnected log sources that stored events as unstructured data.
- macOS — The Unified Logging System
In 2016, macOS 10.12 (Sierra) replaced the traditional UNIX-style logging system with the Unified Logging System (ULS). This new macOS logging facility was designed to not only unify all macOS system logs and application logs, but also to standardize logging across other Apple OS’s.
One of the original goals of ULS was to introduce added security features, such as privacy for sensitive data that might be used for malicious purposes. The Mac Console app continued to be the default interface for viewing macOS system logs, but after the release of ULS, all sensitive data became redacted with
<private>in the Console app. Another goal of the original ULS design was to provide efficient debugging for application developers.
With the release of macOS 10.14 (Mohave),Signposts and Instruments were added to ULS. These new logging features make performance tuning easier for application developers.
Features and benefits
NXLog Enterprise Edition is capable of collecting all types of logs from Apple OS X 10.11 (El Capitan) as well as any release of macOS running on any Mac hardware, including Macs equipped with Apple’s M1 Chip.
- Collect Apple System Log (ASL) logs
.aslfiles are easily captured and parsed using the xm_asl extension module. NXLog can also format them as structured data while forwarding them over the network for centralized logging or directly to a SIEM, all in a single step.
- Basic Security Mode (BSM) auditing
The im_bsm input module collects logs directly from the BSM auditing system which has achieved DoD C2 level certification and provides auditing (as opposed to mere logging) for certified environments where a full audit is a requirement. Because it reads directly from the kernel, this module can be used with OS X 10.11 (El Capitan) or any release of macOS.
- Capture macOS events directly from the ULS logging facility
The im_maculs module can natively collect ULS events on macOS, including Signpost events. In addition to parsing the ULS fields for further processing as structured data, it offers configurable options for caching, polling intervals, and toggling of last position read, for either reading all available logs or only the most recent unread logs respectively.
- File Integrity Monitoring (FIM)
File Integrity Monitoring can be used to detect changes to files and directories. A file may be altered due to a security breach, an update to a newer version, or data corruption. File integrity monitoring helps your organization respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives. The im_fim module can be configured for monitoring any specified set of files.
- Collect kernel log messages
NXLog supports different ways of collecting macOS kernel logs. See Apple macOS kernel for details.
- Highly configurable log filtering capabilities
- Log enrichment capabilities
For ULS logs, this feature is unique to NXLog Enterprise Edition. Log enrichment allows you to create custom fields with any metadata needed by your organization, like software build numbers, organizational identifiers, physical location, etc. This is especially important when aggregating macOS logs from several Macs into a single input stream using centralized logging. Once enriched with the additional metadata, this aggregate event stream can be ingested by a SIEM and viewed in real time by your IT team or security analysts. In case of a security alert, these enhanced logs would contain the information needed to act quickly and efficiently.
Aggregate logs from Mac hosts into a single SIEM input stream
Each NXLog agent can receive and send events over various network protocols. You can also configure any NXLog agent to receive log records from multiple sources: local system and application logs as well as event records from one or more remote NXLog agents. With its highly configurable multiple input and output routing capabilities, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable:
Single input being routed to multiple outputs
Multiple inputs routed to a single output
Multiple inputs routed to multiple outputs
Each individual input paired with its own corresponding output
This highly simplified diagram of centralized logging shows how Macs with NXLog agents installed can forward their ULS (or Apple) logs with custom logs from third-party apps through a centralized NXLog Enterprise Edition relay server to multiple destinations. In this example, three different SIEMs and an on-site, custom software development app (labeled Performance Tuning / QA Analytics) will receive specialized, processed data for further analysis. Mac logs are not limited to these endpoints. For more integration possibilities, see our complete list of integrations.
With the release of NXLog Enterprise Edition 5.3, it is now possible for the first time ever to gather ULS events from multiple Macs and forward them to a remote server for monitoring and analysis. As shown above, each output stream can be processed to meet the specific format and schema requirements of multiple SIEM vendors. Filtering out high volume, low quality events while retaining only high quality security events not only reduces SIEM costs, it further enhances the performance of the event analysis at the SIEM endpoints. Given these capabilities of the NXLog Enterprise Edition 5.3 for macOS, this statement regarding aggregate ULS logging will need to be updated:
Unified log entries can only be collected on the Mac or iOS device itself. There is no sensible way that you can gather filtered log entries from a couple of dozen or more Macs on a server for monitoring and analysis. That anyone should ever want to do so doesn’t appear to have registered with Apple yet.