Unified Logging
The Unified Logging system available in macOS 10.12 or later provides a central location to store log data on the Mac. The Console and Terminal apps allow users to view, stream, and filter this data on computers to manually troubleshoot errors or detect threats.
With Jamf Protect, you can use the same predicate-based filter criteria that are often used with the log
command to collect relevant log entries from computers and send them to a security information and event management (SIEM) solution or a third party storage solution (e.g., AWS).
To collect unified log filter data with Jamf Protect, you must do one of the following:
Integrate Jamf Protect with a security information and events management (SIEM) solution.
Enable data forwarding to a third party storage solution.
Creating a Unified Log Filter
You must create a predicate-based filter that collects logs relevant to your organization's needs. The following steps show how to use Console to help you identify criteria that can be added to a predicate filter.
Do not create create unified logs filters that collect Jamf Protect activities. This generates an infinite logging loop that may cause unexpected behavior.
You now have a predicate-based filter that can be used to configure a Unified Log Filter in Jamf Protect.
Adding Unified Log Filters to Jamf Protect
Integrate Jamf Protect with a security information and events management (SIEM) solution.
For more information, see Splunk Integration with Jamf Protect.
Enable data forwarding to a third party storage solution.
For more information, see Data Forwarding to a Third Party Storage Solution.
Enable the Forward Unified Log Data to a Third Party Storage Solution checkbox in an action configuration. For more information, see Creating an Action Configuration.
All computers will now send logs that match your filter to your security information and event management (SIEM) solution.