建立和上傳 Splunk HTTP 事件收集器設定描述檔

如果您使用 Splunk 作為您的 SIEM 軟體,並希望使用 HTTP 事件收集器進行報告,建議您在 Jamf Pro 中配置 Splunk HTTP 事件收集器設定描述檔。Jamf Pro是一種MDM解決方案,管理者可用來配置Compliance Reporter設定並將Compliance Reporter部署到目標電腦。有關 Spunk HTTP 事件收集器的更多資訊,請參閱 Splunk Enterprise 文件中的 Set up and use HTTP Event Collector in Splunk Web (設定和使用 Splunk Web 中的 HTTP 事件收集器)。

  1. Jamf Pro 中,於側邊欄頂端按一下 電腦
  2. 按一下側邊欄中的 設定描述檔
  3. 按一下 上傳
  4. 按照如下方式上傳設定描述檔,以確保視需要修改設定:
    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>com.jamf.compliancereporter</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>AuditEventExcludedProcesses</key> <array> <string>/usr/sbin/mDNSResponder</string> <string>/usr/sbin/syslogd</string> <string>/Applications/splunk/bin/splunk-optimize</string> </array> <key>AuditEventExcludedUsers</key> <array> <string>_spotlight</string> <string>_windowserver</string> </array> <key>AuditEventLogVerboseMessages</key> <false/> <key>AuditLevel</key> <integer>1</integer> <key>FileEventExclusionPaths</key> <array> <string>/Applications/splunk.*</string> </array> <key>FileEventInclusionPaths</key> <array> <string>/usr/lib/pam/.*</string> <string>/Library/Launch.*</string> <string>/Library/StartupItems/.*</string> <string>/Library/Extensions/.*</string> <string>/Library/Preferences/.*</string> <string>/Library/PrivilegedHelperTools/.*</string> <string>/private/etc/.*</string> </array> <key>LicenseEmail</key> <string>example@mycompany.com</string> <key>LicenseExpirationDate</key> <string>dd/mm/yyyy</string> <key>LicenseKey</key> <string>35c...</string> <key>LicenseType</key> <string>Trial</string> <key>LicenseVersion</key> <string>1</string> <key>LogFileMaxNumberBackups</key> <integer>10</integer> <key>LogFileMaxSizeMegaBytes</key> <string>50</string> <key>LogFileOwnership</key> <string>root:wheel</string> <key>LogFilePermission</key> <string>644</string> <key>LogRemoteEndpointEnabled</key> <true/> <key>LogRemoteEndpointREST</key> <dict> <key>PublicKeyHash</key> <string>7E1DDE57-CEA3-4872-A477-CD2D6B640AFB</string> </dict> <key>LogRemoteEndpointType</key> <string>Splunk</string> <key>LogRemoteEndpointURL</key> <string>https://splunk.company.com:8088/services/collector/raw</string> <key>UnifiedLogPredicates</key> <array> <string>(subsystem == "com.apple.AccountPolicy")</string> </array> </dict> </dict> </array> </dict> </dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Custom</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string> <key>PayloadOrganization</key> <string>Jamf inc</string> <key>PayloadType</key> <string>com.apple.ManagedClient.preferences</string> <key>PayloadUUID</key> <string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Splunk HEC Compliance Reporter Preferences</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string> <key>PayloadOrganization</key> <string>Jamf inc</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
  5. 按一下 儲存