Skip to main content

Integrating with Mac OS

  • Updated

Overview

Blumira integrates with Mac OS to provide automated threat detection and actionable response. Mac OS Console app (Finder > Applications > Utilities > Console) is the standard interface to visualize all events registered by the operating system. It is simple yet functional, but not very friendly on displaying the entries and actually finding some useful information. Also Mac OS will forward all syslog data as a single source, not separating data by log file.

Note: Blumira can only ingest logs found by syslogd. Due to a limitation in macOS, Apple System/Unified Logs are currently not supported by this integration.

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Obtain the IP address of your Blumira sensor to use when configuring the external service.

To gather the IP address of the sensor:

  1. In Blumira, navigate to Settings > Sensors.
  2. Click the sensor row to open the details page.
  3. Under Overview, in the Host Details box, copy the IP value.

Configuring the Mac OS Syslogd

  1. On the Mac device, open a Terminal window (Applications > Utilities > Terminal).
  2. Make a backup copy of the syslog configuration file (syslogd.conf) into the /tmp folder: 
    $ cp /etc/syslog.conf /tmp/syslog.conf.bkp
  3. Open the configuration file in your favorite editor: 
    $ sudo nano /etc/syslog.conf
Password:
  4. Use the ’sudo’ command to execute nano with ‘root’ privileges, otherwise you won’t be able to edit the file. Enter the password for the administrator account you are currently logged in as to continue.
  5. Insert the following line anywhere in your syslogd.conf file, replacing the IP address "192.168.1.10" with the IP address of your Blumira sensor: 
    *.*                                       @192.168.1.10
    Important: The selector and action fields (see below) are separated by tabs. Do not use spaces.
    • The syslogd.conf file consists of lines with two fields:
      • The selector field specifies the types of messages and priorities to which the line applies.
      • The action field specifies the action to be taken if a message syslogd receives matches the selection criteria.
    • The Selectors function are encoded as a Facility.Level. The line above is basically telling the Mac OS syslog daemon to forward a copy of all (*.*) events to the syslog server listening on the IP address 192.168.1.10. If you don’t want to send all events, you can filter them out by setting a different level – for instance, you can replace "*.*" with "*.notice". Check out the syslogd.conf and the syslog manual pages for all the options.
  6. Press CTRL+Xe and save the file by typing Y.
  7. Verify that the syslogd service is running by typing: 
    $ ps -e | grep syslogd 5070 ??         2:33.75 /usr/sbin/syslogd
  8. Restart the syslogd service using the following commands. Enter your password one more time if necessary. 
    launchctl stop com.apple.syslogd
launchctl stop com.apple.aslmanager
launchctl start com.apple.aslmanager
launchctl start com.apple.syslogd
  9. (Optional) Verify that the service was successfully shut down and restarted by typing the same command again. The counter should have been reset and the PID (5070 in the example above) should be a different one. 
    $ ps -e | grep syslogd 18597 ??         0:00.01 /usr/sbin/syslogd
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles