macOS Integration for Elastic

The macOS integration for Elastic allows you to collect and analyze unified logs from macOS systems. This integration leverages macOS's unified logging system to provide comprehensive visibility into system activities, security events, and application behaviors on macOS endpoints.

macOS unified logging is Apple's centralized logging system that captures log messages from the kernel, system processes, and applications. This integration enables security teams to monitor macOS endpoints for suspicious activities, troubleshoot system issues, and maintain compliance with security policies.

The macOS integration is compatible with macOS systems that support unified logging (macOS 10.12 Sierra and later).

This integration uses the unifiedlogs input to collect log data from the macOS unified logging system. It can collect logs in real-time or from archived log files, with configurable filtering based on predicates, processes, and log levels.

This integration collects unified log messages from macOS systems using configurable predicates to filter specific event types, including:

• Authentication logs: User login/logout events, authentication failures, and credential-related activities

  - 'process contains "sudo" OR composedMessage CONTAINS "sudo" OR process contains "su"'
  - 'process contains "loginwindow" and composedMessage CONTAINS "sessionDidLogin"'
  - 'process == "sshd"'
  		

• User & Account management: User account creation, modification, and deletion events

  - 'process == "sysadminctl" AND composedMessage CONTAINS "Creating user"'
  - 'process == "dscl" AND composedMessage CONTAINS "create"'
  - 'process == "sysadminctl" AND composedMessage CONTAINS "Deleting user"'
  - 'process == "dscl" AND composedMessage CONTAINS "delete"'
  - '(process == "dscl" OR process == "opendirectoryd") AND composedMessage CONTAINS "admin"'
  		

• Process execution monitoring: Process creation, termination, and execution details

  - 'eventMessage CONTAINS[c] "exec" OR eventMessage CONTAINS[c] "fork" OR eventMessage CONTAINS[c] "exited" OR eventMessage CONTAINS[c] "terminated"'
  - 'subsystem == "com.apple.securityd" AND (composedMessage CONTAINS "code signing" OR composedMessage CONTAINS "not valid")'
  		

• Network activity: Network connections, DNS queries, and network-related events

  - 'composedMessage CONTAINS "connect" AND (composedMessage CONTAINS "TCP" OR composedMessage CONTAINS "UDP")'
  - 'composedMessage CONTAINS "disconnect" OR composedMessage CONTAINS "closed connection"'
  - 'subsystem == "com.apple.necp" AND composedMessage CONTAINS "new connection"'
  - 'eventMessage CONTAINS[c] "listening" AND eventMessage CONTAINS[c] "service"'
  		

• File reads/writes: File system access, modifications, and permission changes

  - '(eventMessage CONTAINS "open" OR eventMessage CONTAINS "write" OR eventMessage CONTAINS "unlink" OR eventMessage CONTAINS "rename") AND ((processImagePath BEGINSWITH "/System") OR (processImagePath BEGINSWITH "/bin") OR (processImagePath BEGINSWITH "/sbin") OR (processImagePath BEGINSWITH "/usr" AND NOT processImagePath BEGINSWITH "/usr/local") OR (processImagePath BEGINSWITH "/etc"))'
  - 'subsystem == "com.apple.quarantine" OR eventMessage CONTAINS "com.apple.quarantine"'
  		

• System changes: System configuration changes, software installations, and updates

  - 'subsystem == "com.apple.security" OR subsystem == "com.apple.systempolicy" OR subsystem == "com.apple.installer" OR process == "Installer" OR (process == "softwareupdated" AND subsystem != "com.apple.network") OR eventMessage CONTAINS[c] "removed package" OR eventMessage CONTAINS[c] "forget package"'
  		

• Advanced monitoring: Detailed system and application behavior logs

  - 'subsystem == "com.apple.xpc" OR subsystem == "com.apple.launchd"'
  - 'category == "performance" OR category == "diagnostics"'
  - 'messageType == 16 OR messageType == 17'
  		

The macOS integration in Elastic enables comprehensive monitoring and analysis of system activities, network traffic, and application behavior across macOS devices. It supports use cases such as detecting security incidents, tracking network usage, auditing system events, and analyzing performance trends. By collecting and visualizing unified logs, it helps security and IT teams gain real-time visibility, identify anomalies, ensure compliance, and enhance overall endpoint security within macOS environments.

This integration also provides visibility into third-party enterprise applications that use unified logging as their logging backend, including privilege management tools, MDM agents, security software, and custom macOS applications, enabling centralized monitoring of the entire macOS application ecosystem.

• Elastic Agent must be installed on the macOS system you want to monitor
• Appropriate permissions to read system logs on the macOS system

The integration requires:

• macOS 10.12 Sierra or later (for unified logging support)
• Appropriate system permissions to access unified logs
• For some log categories, administrative privileges may be required

This integration requires Elastic Agent to be installed on the macOS systems you want to monitor.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

For comprehensive visibility, yes. Elastic Defend isn't designed to provide a complete capture of all system events and it's recommended to supplement it with the macOS unified logging integration. Specifically, Elastic Defend on macOS does not capture:

• All user login/logout events
• Every user account creation, deletion, or modification
• Complete system service registration and changes
• Application diagnostic logs

This integration fills those gaps, similar to how Windows users supplement Elastic Defend with Custom Windows Event Logs integration.

1. In the top search bar in Kibana, search for Integrations.

2. In the search bar, type macOS.

3. Select the macOS integration from the search results.

4. Select Add macOS to add the integration.

5. Enable and configure only the collection methods which you will use.

   Basic Configuration:

   • Enable the log categories you want to collect:
     • Authentication
     • User & Account management
     • Process execution monitoring
     • Network activity
     • File reads/writes
     • System changes
     • Advanced monitoring

   Advanced Configuration (Optional):

   • Predicate: Use NSPredicate-based filtering to collect specific log messages
   • Process: Specify particular processes to monitor (by PID or name)
   • Start/End dates: Define time ranges for historical log collection
   • Log levels: Configure which log levels to include (info, debug, backtrace, signpost)
   • Archive/Trace files: Specify log archive or trace files to process

6. Select Save and continue to save the integration.

1. In the top search bar in Kibana, search for Dashboards.
2. In the search bar, type macOS.
3. Select a dashboard for the dataset you are collecting, and verify the dashboard information is populated.

• Unified log collection can generate significant data volume, especially with debug-level logging enabled
• Consider using predicates to filter logs and reduce data volume
• Monitor system performance impact when collecting high-volume log categories

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

These inputs can be used in this integration:

• Unified Logs

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

← →

×

×