Blumira integrates with Apple MacOS to provide automated threat detection and actionable response.

Note: Only logs found by syslogd will be ingested by Blumira. Due to a limitation in macOS, Apple System/Unified Logs are currently not supported by this integration.

Integrate Mac OS X With Blumira’s Cloud SIEM

Mac OS X Console.app (Applications – Utilities – Console.app) is the standard interface to visualize all events registered by the operating system. It is simple yet functional, but not very friendly on displaying the entries and actually finding some useful information.

Also Mac OS X will forward all syslog data as a single source, not separating data by log file.

Before you begin

Determine the Blumira sensor you will use as a syslog server to collect log data. On the sensor detail screen, under Host Details, copy the IP address of your Blumira sensor to use in later steps.

Configuring the Mac OS X Syslogd

1. Open a Terminal window: Applications – Utilities – Terminal, or by using the Spotlight (shortcut: command+space > Terminal)

2. Make a backup copy of the syslog configuration file (syslogd.conf) into the /tmp folder:

$ cp /etc/syslog.conf /tmp/syslog.conf.bkp

3. Open the configuration file in your favorite editor:

$ sudo nano /etc/syslog.conf

Use the ’sudo’ command to execute nano with ‘root’ privileges, otherwise you won’t be able to edit the file. Enter the password for the administrator account you are currently logged in as to continue.

4. Insert the following line anywhere in your syslogd.conf file, replacing the IP address with the IP address of your Blumira Sensor.

*.*                                       @

Important: The selector and action fields (see below) are separated by TABs. Do not use spaces.

The syslogd.conf file consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies the action to be taken if a message syslogd receives matches the selection criteria.

The Selectors function are encoded as a Facility.Level. The line above is basically telling the Mac OS X syslog daemon to forward a copy of all (*.*) events to the syslog server listening on the IP address If you don’t want to send all events, you can filter them out by setting a different level – for instance, you can replace the ‘*.*’ with ‘*.notice’. Check out the syslogd.conf and the syslog manual pages for all the options.

5. Save and Exit: Press CTRL+Xe and save the file by typing ’Y’.

6. Restart the ‘syslogd’ service: But before doing so, check if it’s running by typing:

$ ps -e | grep syslogd 5070 ??         2:33.75 /usr/sbin/syslogd

The following commands restart the service. Enter your password one more time if necessary.

launchctl stop com.apple.syslogd
launchctl stop com.apple.aslmanager
launchctl start com.apple.aslmanager
launchctl start com.apple.syslogd

Check if the service was really shut down and restarted by typing the same command again. The counter should have been reset and the PID (5070 in the example above) should be a different one.

$ ps -e | grep syslogd 18597 ??         0:00.01 /usr/sbin/syslogd