macOS logging with NXLog Enterprise Edition
NXLog can filter, normalize, and aggregate logs from multiple Macs into a single SIEM input stream. It is by far the most configurable and versatile log collection solution for macOS.
Collecting all types of logs from Apple macOS
macOS has been, and continues to be, an important desktop operating system for creative roles across most organizations, from startups to multi-national corporations.
The main challenge that has prevented a more widespread adoption of macOS in such organizations is the lack of software solutions that can provide centralized collection of macOS security logs. Until now.
NXLog is able to capture logs directly from Apple’s Unified Logging System, can collect Endpoint Security logs natively and offers powerful log aggregation capabilities. This makes it the most capable solution to collect logs on devices running macOS.
Most of the competitor offerings have limited support for macOS devices. They only support file based logs or require you to send logs as syslog. However, NXlog Enterprise Edition gives you complete visibility over your macOS security logging with a native solution.
Features and benefits
NXLog Enterprise Edition is capable of collecting all types of logs from Apple OS X 10.11 (El Capitan) as well as any release of macOS running on any Mac hardware, including Macs equipped with Apple’s M1 Chip.
Legacy (pre-ULS) .asl files are easily captured and parsed using the xm_asl extension module. NXLog can also format them as structured data while forwarding them over the network for centralized logging or directly to a SIEM, all in a single step.
The im_bsm input module collects logs directly from the BSM auditing system which has achieved DoD C2 level certification and provides auditing (as opposed to mere logging) for certified environments where a full audit is a requirement. Because it reads directly from the kernel, this module can be used with OS X 10.11 (El Capitan) or any release of macOS.
The im_maces input module collects logs from Apple’s Endpoint Security auditing system on MacOS 10.15 and later. Endpoint Security is an audit subsystem for monitoring system events for potentially malicious activity.
The im_maculs module can natively collect ULS events on macOS, including Signpost events. In addition to parsing the ULS fields for further processing as structured data, it offers configurable options for caching, polling intervals, and toggling of last position read, for either reading all available logs or only the most recent unread logs respectively.
File Integrity Monitoring can be used to detect changes to files and directories. A file may be altered due to a security breach, an update to a newer version, or data corruption. File integrity monitoring helps your organization respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives. The im_fim module can be configured for monitoring any specified set of files.
NXLog supports different ways of collecting macOS kernel logs. See Apple macOS kernel for details.
For ULS logs, this feature is unique to NXLog Enterprise Edition. Log enrichment allows you to create custom fields with any metadata needed by your organization, like software build numbers, organizational identifiers, physical location, etc. This is especially important when aggregating macOS logs from several Macs into a single input stream using centralized logging. Once enriched with the additional metadata, this aggregate event stream can be ingested by a SIEM and viewed in real time by your IT team or security analysts. In case of a security alert, these enhanced logs would contain the information needed to act quickly and efficiently.
Aggregate logs from Mac hosts into a single SIEM input stream
Each NXLog agent can receive and send events over various network protocols. You can also configure any NXLog agent to receive log records from multiple sources: local system and application logs as well as event records from one or more remote NXLog agents. With its highly configurable multiple input and output routing capabilities, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable:
- Single input being routed to multiple outputs
- Multiple inputs routed to a single output
- Multiple inputs routed to multiple outputs
- Each individual input paired with its own corresponding output
This highly simplified diagram of centralized logging shows how Macs with NXLog agents installed can forward their ULS (or Apple) logs with custom logs from third-party apps through a centralized NXLog Enterprise Edition relay server to multiple destinations.
In this example, three different SIEMs and an on-site, custom software development app (labeled Performance Tuning / QA Analytics) will receive specialized, processed data for further analysis. Mac logs are not limited to these endpoints. For more integration possibilities, see our complete list of integrations.
With the release of NXLog Enterprise Edition 5.3, it is now possible for the first time ever to gather ULS events from multiple Macs and forward them to a remote server for monitoring and analysis. As shown above, each output stream can be processed to meet the specific format and schema requirements of multiple SIEM vendors. Filtering out high volume, low quality events while retaining only high quality security events not only reduces SIEM costs, it further enhances the performance of the event analysis at the SIEM endpoints. Given these capabilities of the NXLog Enterprise Edition 5.3 for macOS, this statement regarding aggregate ULS logging will need to be updated:
"Unified log entries can only be collected on the Mac or iOS device itself. There is no sensible way that you can gather filtered log entries from a couple of dozen or more Macs on a server for monitoring and analysis. That anyone should ever want to do so doesn’t appear to have registered with Apple yet."