How to figure out what event types to filter in im_maculs

#1 mthoma 2 years ago

I've been tasked to roll out nxlog on all of our Macs. I have it working in the sense that logs are being uploaded to our syslog server.

However I've been given a list from https://www.iansresearch.com/resources/all-blogs/post/security-blog/2021/04/29/best-practices-for-macos-logging-monitoring and told to implement it.

How the heck do I find out what eventtypes to filter so that I can capture the list of logs that is on this webpage. And is this list even the right one to follow? It mentions using Consolation 3, but I have no idea how that's supposed to help me figure this out.

What is your goto source for this type of info?

Permalink

#2 KlevinDeactivated Nxlog ✓ 2 years ago

#1 mthoma

I've been tasked to roll out nxlog on all of our Macs. I have it working in the sense that logs are being uploaded to our syslog server. However I've been given a list from https://www.iansresearch.com/resources/all-blogs/post/security-blog/2021/04/29/best-practices-for-macos-logging-monitoring and told to implement it. How the heck do I find out what eventtypes to filter so that I can capture the list of logs that is on this webpage. And is this list even the right one to follow? It mentions using Consolation 3, but I have no idea how that's supposed to help me figure this out. What is your goto source for this type of info?

Hello Sir,

Regardless from the module and data you are using, i would suggest the following steps to try to troubleshoot:

Add this to the module you want to troubleshoot

Exec log_info("The Raw Event is " +$raw_event);

Stop NXLog service

Run NXLog service via terminal in foreground mode, in this way you will see what data are passed and you can work on them

/opt/nxlog/bin/nxlog -f

Sincerely Klevin