I've been tasked to roll out nxlog on all of our Macs. I have it working in the sense that logs are being uploaded to our syslog server.

However I've been given a list from https://www.iansresearch.com/resources/all-blogs/post/security-blog/2021/04/29/best-practices-for-macos-logging-monitoring and told to implement it.

How the heck do I find out what eventtypes to filter so that I can capture the list of logs that is on this webpage. And is this list even the right one to follow? It mentions using Consolation 3, but I have no idea how that's supposed to help me figure this out.

What is your goto source for this type of info?

AskedNovember 18, 2021 - 6:21pm

Answer (1)

Hello Sir,

Regardless from the module and data you are using, i would suggest the following steps to try to troubleshoot:

Add this to the module you want to troubleshoot

Exec log_info("The Raw Event is " +$raw_event);

Stop NXLog service

Run NXLog service via terminal in foreground mode, in this way you will see what data are passed and you can work on them

/opt/nxlog/bin/nxlog -f 

Sincerely Klevin

Comments (1)