Console
    Start free

    Collect macOS System Logs

    Supported in:

    This document explains how you can ingest macOS system logs to Google Security Operations using Bindplane. macOS uses the Apple Unified Logging system to capture system-level events including authentication, process execution, kernel activity, and application behavior. These logs can be forwarded via syslog to a remote collector for centralized security monitoring and analysis.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance.
    • A Windows 2016 or later or Linux host with systemd.
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
    • Administrative access to the macOS endpoints that will forward logs.
    • macOS 10.12 (Sierra) or later with Unified Logging support.

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agent.
    3. Download the Ingestion Authentication File.
      • Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open the Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    Additional installation resources

    For additional installation options, consult this installation guide .

    Configure the Bindplane agent to ingest Syslog and send to Google SecOps

    1. Access the Configuration File:

      • Locate the config.yaml file. Typically, it's in the /observiq-otel-collector/ directory on Linux or in the installation directory on Windows.
      • Open the file using a text editor (for example, nano , vi , or Notepad).

    2. Edit the config.yaml file as follows:

        receivers 
 : 
  
 udplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds_file_path 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< PLACEHOLDER_CUSTOMER_ID 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 log_type 
 : 
  
 'MACOS' 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels
    • Replace the port and IP address as required in your infrastructure.
    • Replace <PLACEHOLDER_CUSTOMER_ID> with the actual Customer ID.
    • Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in the Get Google SecOps ingestion authentication filesection.

    Restart the Bindplane agent to apply the changes

    To restart the Bindplane agent in Linux:

    1. Run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

    2. Verify the service is running:

       sudo  
systemctl  
status  
observiq-otel-collector

    3. Check logs for errors:

       sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    To restart the Bindplane agent in Windows:

    1. Choose one of the following options:

      • Command Prompt or PowerShell as administrator:
       net stop observiq-otel-collector && net start observiq-otel-collector
      • Services console:
        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

    2. Verify the service is running:

       sc query observiq-otel-collector

    3. Check logs for errors:

        type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure macOS syslog forwarding

    macOS uses the Unified Logging system. To forward logs to the Bindplane agent via syslog, configure the built-in syslogd service on each macOS endpoint.

    Option 1: Configure syslog forwarding using syslog.conf

    1. Open Terminalon the macOS endpoint.

    2. Edit the syslog configuration file:

       sudo  
nano  
/etc/syslog.conf

    3. Add the following line at the end of the file to forward all logs via UDP to the Bindplane agent:

       *.*     @<BINDPLANE_IP_ADDRESS>:514
      • Replace <BINDPLANE_IP_ADDRESS> with the IP address of the Bindplane agent host (for example, 192.168.1.100 ).

    4. Save the file and exit.

    5. Restart the syslog daemon:

       sudo  
launchctl  
unload  
/System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo  
launchctl  
load  
/System/Library/LaunchDaemons/com.apple.syslogd.plist

    Option 2: Configure syslog forwarding using asl.conf

    1. Open Terminalon the macOS endpoint.

    2. Edit the ASL configuration file:

       sudo  
nano  
/etc/asl.conf

    3. Add the following line to forward logs to the remote syslog server:

       ? [= Sender kernel] forward <BINDPLANE_IP_ADDRESS>:514
? [<= Level notice] forward <BINDPLANE_IP_ADDRESS>:514
      • Replace <BINDPLANE_IP_ADDRESS> with the IP address of the Bindplane agent host.

    4. Save the file and exit.

    5. Restart the syslog daemon:

       sudo  
launchctl  
unload  
/System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo  
launchctl  
load  
/System/Library/LaunchDaemons/com.apple.syslogd.plist

    Verify log forwarding

    1. On the macOS endpoint, generate a test log message:

       logger  
-p  
user.notice  
 "Test syslog message for Bindplane"

    2. On the Bindplane agent host, check the agent logs for incoming messages:

       sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    UDM mapping table

    Log Field UDM Mapping Logic
    activityIdentifier_label
    		additional.fields Merged
    backtrace_label
    		additional.fields Merged
    bootUUID_label
    		additional.fields Merged
    category_label
    		additional.fields Merged
    chronicle_log_type_label
    		additional.fields Merged
    formatString_label
    		additional.fields Merged
    log_type_label
    		additional.fields Merged
    machTimestamp_label
    		additional.fields Merged
    messageType_label
    		additional.fields Merged
    parentActivityIdentifier_label
    		additional.fields Merged
    processImageUUID_label
    		additional.fields Merged
    senderImageUUID_label
    		additional.fields Merged
    senderProgramCounter_label
    		additional.fields Merged
    subprocess_label
    		additional.fields Merged
    subsystem_label
    		additional.fields Merged
    threadID_label
    		additional.fields Merged
    traceID_label
    		additional.fields Merged
    intermediary_host
    		intermediary.hostname Directly mapped
    attributes.message
    		metadata.description Directly mapped
    description
    		metadata.description Directly mapped
    eventMessage
    		metadata.description Directly mapped
    timestamp
    		metadata.event_timestamp Parsed as ISO8601
    has_principal
    		metadata.event_type Mapped: true STATUS_UPDATE
    has_user
    		metadata.event_type Mapped: true USER_UNCATEGORIZED
    attributes.process
    		metadata.product_event_type Directly mapped
    eventType
    		metadata.product_event_type Directly mapped
    attributes.host
    		principal.asset.hostname Directly mapped
    hostname
    		principal.asset.hostname Directly mapped
    source
    		principal.asset.hostname Directly mapped
    senderImagePath
    		principal.file.full_path Directly mapped
    attributes.host
    		principal.hostname Directly mapped
    hostname
    		principal.hostname Directly mapped
    source
    		principal.hostname Directly mapped
    command_line
    		principal.process.command_line Directly mapped
    processImagePath
    		principal.process.file.full_path Directly mapped
    attributes.pid
    		principal.process.pid Directly mapped
    processID
    		principal.process.pid Directly mapped
    process_id
    		principal.process.pid Directly mapped
    userID
    		principal.user.userid Directly mapped
    N/A
    		 metadata.event_type Constant: USER_UNCATEGORIZED
    N/A
    		 metadata.product_name Constant: MacOS
    N/A
    		 metadata.vendor_name Constant: Apple
    N/A
    		 principal.platform Constant: MAC

    Change Log

    View the Change Log for this parser

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: