Has anyone had any luck collecting the following events in macOS Sierra 10.12? How did you do it? PLEASE. One tech has suggested syslog be configured to forward to receiver but I am unable to collect much of what my employer is expecting from our Macintosh machines running the Forwarder in 10.12. And I have seen an Apple Radar that supports my findings here:
Apple report
Number: rdar://30164382
Date Originated: 24.1.2017
With new log subsystem introduced in 10.12 Sierra it is no longer possible to send log messages to remote syslog server. In previous versions of macOS it was possible possible to configure syslog via /etc/syslog.conf config file to send logs to remote servers. In 10.12 syslog is still place but it's missing content since it was moved to new log subsystem.
Expected Results: Ability to configure log system to send log messages to remote syslog or syslog-ng server. Actual Results: There is no way to configure logd to send messages to remote syslog server. Version: 10.12
**My Audit Need for macOS Sierra servers and clients**
We need to collect the following, and I am not having any luck with syslog. Any help would greatly be appreciated, I am thinking scripted inputs now, but would REALLY appreciate seeing some examples for further guidance. I have spent way too much time on this and some Splunk techs mention Splunk is not supported in macOS Sierra 10.12.
My employer is expecting me to collect these from my macOS Sierra 10.12 clients and servers:
**Policy** **Security Setting**
Audit account logon events **->** Success, Failure
Audit account management **->**Success, Failure
Audit directory service access **->**Failure
Audit logon events **->**Success, Failure
Audit object access **->**Failure
Audit policy change **->**Success
Audit privilege use **->**Failure
Audit process tracking **->**No Auditing
Audit system events **->**Success
Please share with me how you collected this data
↧