Unified Logging

The Unified Logging system available in macOS 10.12 or later provides a central location to store log data on the Mac. The Console and Terminal apps allow users to view, stream, and filter this data on computers to manually troubleshoot errors or detect threats.

With Jamf Protect, you can use the same predicate-based filter criteria that are often used with the log command to collect relevant log entries from computers and send them to a security information and event management (SIEM) solution or a third party storage solution (e.g., AWS).

Important:

To collect unified log filter data with Jamf Protect, you must do one of the following:

  • Integrate Jamf Protect with a security information and events management (SIEM) solution.


  • Enable data forwarding to a third party storage solution.

Creating a Unified Log Filter

You must create a predicate-based filter that collects logs relevant to your organization's needs. The following steps show how to use Console to help you identify criteria that can be added to a predicate filter.

Warning:

Do not create create unified logs filters that collect Jamf Protect activities. This generates an infinite logging loop that may cause unexpected behavior.

  1. Open the Console app.
  2. Enter key words that are relevant to logs you want view in the search field.
    Example:

    If you want see all logs related to login events, enter loginwindow.

  3. Analyze the results, and continue to refine your search criteria until only logs relevant to your needs are displayed in Console.
    Example:

    To narrow the criteria to only user logins and not screen unlocks, enter com.apple.sessionDidLogin and choose Message from the filter drop down.

  4. Create a predicate-based filter that includes the criteria from step 3.

    This value will be used to configure a Unified Log Filter in Jamf Protect.

    Example:
    The search criteria that filters for user logins in step 3 is written like the following in predicate syntax: 
    processImagePath contains "loginwindow" and eventMessage contains "com.apple.sessionDidLogin

    For a full list of supported keys that can be used in a predicate-based filter, execute the following command: log help predicates

  5. (Optional) Confirm that your filter is correct.
    1. Use Terminal to execute a log command that uses your predicate.

      Example: 
      log show --predicate 'processImagePath contains "loginwindow" and eventMessage contains "com.apple.sessionDidLogin"'
    2. Complete a task on your computer that will generate a log that meets your filter criteria.
    3. Confirm that the task generates a new log entry in your Terminal session.

You now have a predicate-based filter that can be used to configure a Unified Log Filter in Jamf Protect.

Adding Unified Log Filters to Jamf Protect

Requirements
To collect unified log filter data with Jamf Protect, you must do one of the following:
  1. In Jamf Protect, click Unified Logging in the sidebar.
  2. Click Add New Filter.
  3. Give your filter a name.
  4. (Optional) Add tags to your filter.
  5. Enter your previously created predicate-based filter.
    Note:

    Only enter the predicate filter between the quotations.The log command and --predicate flag you used to test your filter should not be included.

  6. Click Save.

All computers will now send logs that match your filter to your security information and event management (SIEM) solution.