macos + Log Insight

I recently had an issue with my Macbook Pro and used Log Insight to track down the issue. In the process I realized I have not blogged about how to configure macos to log to Log Insight. In this post, I will cover the steps. Read on to learn more!

Log Insight supports macos?!

The Log Insight server supports any device that sends syslog or cfapi protocols. macos natively supports syslog. The Log Insight agent does not support macos so using syslog is required.

How to configure syslog on macos

To configure syslog on macos you need to edit /etc/syslog.conf with root privileges and add the following line to the bottom of the file:

This says forward all events to the FQDN specified over UDP. If you prefer TCP then use two at signs:

Finally, you need to restart the syslog daemon. If you are running macos 10.11 (El Capitan) or older you can run the following commands with root privileges:

If you are running macos 10.12 (Sierra) or newer then the above commands will not work because of System Integrity Protection:

Disabling System Integrity Protection requires booting into recovery mode and is not recommended for security reasons. Instead, you can simply reboot macos for the changes to take effect. That’s it, now we can use Log Insight!

macos content pack for Log Insight

While there is no macos content pack for Log Insight this should not prevent you from analyzing the events. You can leverage the General and Linux content packs to get some information from macos events, however do not expect to see a lot of results. In general, you should treat macos like any other syslog target, you can search by hostname and then filter by keywords such as “error”, “fatal”, and “alert”. Leveraging Event Types and Event Trends on Interactive Analytics can also assist when troubleshooting macos events.

© 2017, Steve Flanders. All rights reserved.

Leave a Reply