Configuring syslog on your Apple Mac OS X

Configure syslog on systems that run Apple Mac OS X operating systems by using a log stream script to send the MAC system logs to QRadar®.

Procedure

To implement the 7.3-QRADAR-QRSCRIPT-logStream-1.0 fix, download the following files from IBM Fix Central. (https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3-QRADAR-QRSCRIPT-logStream-1.0&includeRequisites=1&includeSupersedes=0&downloadMethod=http)
- logStream.pl.tar.gz (2.88 KB)
- 7.3-QRADAR-QRSCRIPT-logStream.sha256 (41 bytes)
From the terminal, go to the folder that you chose to contain the logStream.pl file that you extracted.
To make the logStream.pl file an executable file, type the following command:
```
chmod +x logStream.pl
```
Create an executable shell script with an .sh extension with the following naming convention:

<FILE_NAME>.sh

Add the following command to the file that you created:

#!/bin/sh /Users/<PathToPerlScript>/logStream.pl -<Parameters1> <Value1> -<Parameters2> <Value2>

The path is an absolute path that usually starts from /Users/....

You can use the following parameters for logStream.pl:

Table 1. logStream.pl parameters
Parameter	Description
-H	The -H parameter defines the host name or IP to send the logs to.
-p	The -p parameter defines the port on the remote host, where a syslog receiver is listening. If this parameter is not specified, by default the logStream.pl script uses the TCP port 514 for sending events to QRadar.
-O	The -O parameter overrides the automatic host name from the OS's `/bin/hostname` command.
-s	The syslog header format default is 5424 (RFC5424 time stamp), but 3339 can be specified instead to output the time stamp in RFC3339 format.
-u	The -u parameter forces logStream to send events by using UDP.
-v	The -v parameter displays the version information for the logStream.
-x	The -x parameter is an exclusion filter in grep extended Regex format. For example: `parentalcontrolsd\|com.apple.Webkit.WebContent`

Example:

#!/bin/sh /Users/……/logStream.pl -H 172.16.70.135

Save your changes.
From the terminal, go to the folder that contains the shell file that you created.
To make the perl file an executable file, type the following command:
```
chmod +x <FILE_NAME>.sh
```
In the terminal, create a file with a .plist file extension as in the following example:

<fileName>.plist.
Add the following XML command to the file:
```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
   <dict>
      <key>Label</key>
      <string>com.logSource.app</string>
      <key>Program</key>
      <string>/Users/…[Path_to_Shell_Script_Created_In_Step2]/[FILE_NAME].sh</string>
      <key>RunAtLoad</key>
      <true />
   </dict>
</plist>
```
The XML command holds data in key-value pair. The following table provides the key-value pairs:

Table 2. Key-value pairs

Key Value

Label com.logSource.app

Program /Users/…[Path_To_Shell_ Script_Created_In Step2]…/[FILE_NAME].sh

RunAtLoad True

Note:
The value of the Label key must be unique for each .plist file. For example, if you use the Label value com.logSource.app for one .plist file, you can't use the same value for another .plist file.

The Program key holds the path of the shell script that you want to run. The path is an absolute path that usually starts from /Users/....

The RunAtLoad key shows events when you want to run your shell program automatically.
Save your changes.
To make the .plist file an executable file, type the following command:
```
chmod +x <FILE_NAME>.plist
```
Copy the file to /Library/LaunchDaemons/ by using the following command:
```
sudo cp <Path_To_Your_plist_file> /Library/LaunchDaemons/
```
Restart your Mac system.
Log in to QRadar, and then from the Log Activity tab, verify that events are arriving from the Apple Mac system. If events are arriving as Sim Generic, you must manually configure a log source for the Apple Mac system.
Example: Consider the following event:
```
<13>1 2020-06-25T16:06:55.198987-0300 AAAA-MacBook-Pro.local trustd[130]: [com.apple.securityd.policy] cert[2]: AnchorTrusted =(leaf)[force]> 0
```
The log source parameter values for that event are:
Table 3. Log source parameters

Parameter Value

Log Source Type Apple Mac OS X

Protocol Configuration Syslog

Log Source Identifier AAAA-MacBook-Pro.local

Key	Value
Label	com.logSource.app
Program	/Users/…[`Path_To_Shell_ Script_Created_In Step2`]…/`[FILE_NAME]`.sh
RunAtLoad	True

Parameter	Value
Log Source Type	Apple Mac OS X
Protocol Configuration	Syslog
Log Source Identifier	`AAAA-MacBook-Pro`.local