macOS logging with NXLog Enterprise Edition

Features and benefits

NXLog Enterprise Edition is capable of collecting all types of logs from Apple OS X 10.11 (El Capitan) as well as any release of macOS running on any Mac hardware, including Macs equipped with Apple’s M1 Chip.

_{Collect Apple System Log (ASL) logs}

Legacy (pre-ULS) .asl files are easily captured and parsed using the xm_asl extension module. NXLog can also format them as structured data while forwarding them over the network for centralized logging or directly to a SIEM, all in a single step.

_{Basic Security Mode (BSM) auditing}

The im_bsm input module collects logs directly from the BSM auditing system which has achieved DoD C2 level certification and provides auditing (as opposed to mere logging) for certified environments where a full audit is a requirement. Because it reads directly from the kernel, this module can be used with OS X 10.11 (El Capitan) or any release of macOS.

_{Collect macOS Endpoint Security logs}

The im_maces input module collects logs from Apple’s Endpoint Security auditing system on MacOS 10.15 and later. Endpoint Security is an audit subsystem for monitoring system events for potentially malicious activity.

_{Capture macOS events directly from the ULS logging facility}

The im_maculs module can natively collect ULS events on macOS, including Signpost events. In addition to parsing the ULS fields for further processing as structured data, it offers configurable options for caching, polling intervals, and toggling of last position read, for either reading all available logs or only the most recent unread logs respectively.

_{File Integrity Monitoring (FIM)}

File Integrity Monitoring can be used to detect changes to files and directories. A file may be altered due to a security breach, an update to a newer version, or data corruption. File integrity monitoring helps your organization respond quickly and effectively to unexpected changes to files and is therefore a standard requirement for many regulatory compliance objectives. The im_fim module can be configured for monitoring any specified set of files.

_{Collect kernel log messages}

NXLog supports different ways of collecting macOS kernel logs. See Apple macOS kernel for details.

_{Highly configurable log filtering capabilities}

Filtering is especially important with ULS events since macOS generates events from hundreds of different internal log sources which can result in a large number of events per second (EPS). The NXLog language is used for defining filters. Since it is very similar to JavaScript, your technical roles will be able to easily define filters from day one that precisely match the criteria of events deemed useful by your organization. With such powerful filtering and NXLog’s aggregate logging capabilities, worthless events are efficiently discarded while valuable, security-related events are collected from all hosts in your organization. Once NXLog’s filtering has culled and groomed the events worthy of further processing, NXLog can send them to your SIEM of choice for ingestion and analysis.

_{Log enrichment capabilities}

For ULS logs, this feature is unique to NXLog Enterprise Edition. Log enrichment allows you to create custom fields with any metadata needed by your organization, like software build numbers, organizational identifiers, physical location, etc. This is especially important when aggregating macOS logs from several Macs into a single input stream using centralized logging. Once enriched with the additional metadata, this aggregate event stream can be ingested by a SIEM and viewed in real time by your IT team or security analysts. In case of a security alert, these enhanced logs would contain the information needed to act quickly and efficiently.