0

Where are the authentication logs (failed, successful logins) and how do you send them to a remote syslog server on the latest version of MacOS?

It appears i'm part of of 0.1% of people who want to send their security-related MacOS logs to a SIEM, and couple the rarity of the task with the constantly changing syslog features, and it seems insurmountable to find accurate information on this.

dcom-launch
  • 3
  • See Also: https://apple.stackexchange.com/questions/366791/how-to-get-log-daemon-syslog-messages-available-via-asl https://superuser.com/questions/1565891/how-to-get-ssh-logs-and-send-to-remote-syslog-server-in-macos – dcom-launch Feb 08 '22 at 21:24

1 Answers1

1

In the very beginning, Mac OS X used classic syslog for logging. That changed with Mac OS X 10.4 Tiger in 2005 with the introduction of Apple System Log. Finally with macOS 10.12 Sierra in 2016 ASL was superseded by Unified Logging. I'm assuming the "constantly changing syslog features" you mention are those 2 changes over 22 years.

You can view authentication logs in a streaming fashion like this:

log stream -predicate 'category=="auth"'

or specifically such as:

log stream -predicate 'process=="opendirectoryd"'

(Note that your definition of authentication logs might differ, so be sure to change the filter to your liking)

The next part is sending that information to the SIEM. Most SIEM systems have log collectors for various systems. Maybe yours have one for ASL?

If your SIEM only supports syslog, you can use a tool such as remote_syslog2 to take the output from the log command above and forward it over the syslog protocol.

You can change the log command slightly to get a more "syslog friendly" look:

log stream --style syslog -predicate 'category=="auth"'
jksoegaard
  • 77,783
  • localhost sshd[403]: error: PAM: authentication error for test from 192.168.122.1 I need these to show up in system.log .

    Right now it only shows Feb 8 11:55:37 tests-iMac-Pro sshd: test [priv][360]: DEAD_PROCESS: 362 ttys001 .

     – dcom-launch Feb 08 '22 at 19:57
  • Why do you need it in system.log specifically? That seems to be a completely different question? – jksoegaard Feb 08 '22 at 19:59
  • Can you send me any recent documentation that explains this magical ASL which seems to respect none of the configuration options I supply it? I've searched for hours upon hours and as someone whos been using Linux every day for over 5 years and working in a security job, with a CS degree, I find this to be unbelievably confusing and am astounded at the amount of time I've spend researching finding only old,inaccurate information, when this can be accomplished in 5 minutes on any other OS i've used. – dcom-launch Feb 08 '22 at 20:28
  • 1
    Noone said ASL was magical. It is hard to give you documentation for the configuration options you have tried, when you do not say what they are. You can find documentation in general on asl by using "man" - just like on Linux. For example try "man asl", "man asl.conf", "man syslogd", "man aslmanager", etc. You can also look at: [ https://developer.apple.com/documentation/os/logging?language=objc ] Perhaps my advantage here is that I have been a Linux user for more than 25 years (with a CS degree as well) - and thus I have become accustomed to looking at man pages. – jksoegaard Feb 08 '22 at 21:47
  • 1
    In order to capture the specific log message, you have indicated now, that you're looking for - use a log command like this: log stream -style syslog -predicate 'process == "sshd" and eventMessage contains "error: PAM: authentication error"' – jksoegaard Feb 08 '22 at 21:52
  • So theres no built in way to send logs to an external service like the other major operating systems of 2022? And has been built into them for decades? Without installing some third party software of course – dcom-launch Feb 14 '22 at 18:37
  • @dcom-launch You do realise that I do not build or sell macOS - that I'm merely trying to give you advice on a volunteer basis? You seem to be very frustrated that you cannot figure out how to make this relatively simple setup - don't take it out on those trying to help you. Adressing your question - sure there is a built-in way to send logs to an external service. It has been there for decades. No third party software needed. By the way - many Linux systems have been using rsyslog for that purpose for many years. It's built by Rainer Gerhards - not included in Linux itself, nor created by ... – jksoegaard Feb 14 '22 at 21:04
  • ... one of the big distributions. It is in some sense even more so a third party software than the stuff that comes with macOS. You should note that nowhere in your question you asked for the solution to be without the use of third party software. – jksoegaard Feb 14 '22 at 21:04
  • Thanks for your help, I appreciate the time. – dcom-launch Feb 25 '22 at 15:12