Questo parser utilizza i pattern grok per estrarre i campi dai messaggi syslog di Apple macOS e compila il modello di dati unificato (UDM) con i valori estratti, inclusi timestamp, nome host, host intermedio, riga di comando, ID processo e descrizione. Il parser classifica l'evento come STATUS_UPDATE se è presente un nome host; in caso contrario, assegna all'evento la categoria GENERIC_EVENT. Infine, il parser arricchisce l'evento UDM con informazioni sul fornitore e sul prodotto.
Prima di iniziare
Assicurati di avere un'istanza Google Security Operations.
Assicurati di avere accesso root all'host Auditd.
Assicurati di aver installato rsyslog sull'host Auditd.
Assicurati di avere un host Windows 2012 SP2 o versioni successive o Linux con systemd.
Se l'esecuzione avviene tramite un proxy, assicurati che le porte del firewall siano aperte.
Recuperare il file di autenticazione importazione di Google SecOps
Accedi alla console Google SecOps.
Vai a Impostazioni SIEM>Agente di raccolta.
Scarica il file di autenticazione importazione.
Recuperare l'ID cliente Google SecOps
Accedi alla console Google SecOps.
Vai a Impostazioni SIEM>Profilo.
Copia e salva l'ID cliente dalla sezione Dettagli dell'organizzazione.
Installa l'agente Bindplane
Per l'installazione di Windows, esegui il seguente script: msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet.
Per l'installazione di Linux, esegui il seguente script: sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh.
Configura l'agente Bindplane per importare Syslog e inviarlo a Google SecOps
Accedi alla macchina in cui è installato l'agente Bindplane.
Modifica il file config.yaml come segue:
receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: auditd
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
Riavvia Bindplane Agent per applicare le modifiche utilizzando il seguente comando:
sudo systemctl bindplane restart
Esportare Syslog da macOS
Installa syslog-ng utilizzando Homebrew:
brewinstallsyslog-ng
Configura syslog-ng:
Modifica il file syslog-ng.conf (di solito si trova in /usr/local/etc/syslog-ng/syslog-ng.conf):
sudovi/usr/local/etc/syslog-ng/syslog-ng.conf
Aggiungi il seguente blocco di configurazione.
A seconda della configurazione di Bindplane, puoi modificare il metodo di distribuzione in tcp o lasciarlo come udp.
Sostituisci <BindPlaneAgent_IP> e <BindPlaneAgent_Port> con l'indirizzo IP e la porta effettivi dell'agente Bindplane:
Controlla lo stato di syslog-ng (dovresti visualizzare syslog-ng come avviato):
brewserviceslist
Tabella di mappatura UDM
Campo log
Mappatura UDM
Logic
dati
read_only_udm.metadata.description
Il valore del campo description viene estratto dal campo data nel log non elaborato utilizzando un pattern grok.
dati
read_only_udm.principal.hostname
Il nome host viene estratto dal campo data utilizzando un pattern grok.
dati
read_only_udm.intermediary.hostname
Il nome host dell'intermediario viene estratto dal campo data utilizzando un pattern grok.
dati
read_only_udm.principal.process.command_line
La riga di comando del processo viene estratta dal campo data utilizzando un pattern grok.
dati
read_only_udm.principal.process.pid
L'ID processo viene estratto dal campo data utilizzando un pattern grok.
dati
read_only_udm.metadata.event_timestamp
Il timestamp dell'evento viene estratto dal campo data utilizzando un pattern grok e convertito in un oggetto timestamp. Hardcoded su "MacOS" nel parser. Codificato come "Apple" nel parser. Impostato su "STATUS_UPDATE" se un nome host viene estratto dai log, altrimenti impostato su "GENERIC_EVENT".
log_type
read_only_udm.metadata.log_type
Mappato direttamente dal campo log_type del log non elaborato.
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details how to collect Apple macOS syslog data for Google SecOps, utilizing a parser that extracts key information like timestamp, hostname, and process details.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves using Bindplane Agent to ingest syslog data, which requires configuration of \u003ccode\u003econfig.yaml\u003c/code\u003e to specify the receiver port, customer ID, and credential details, and then restarting it.\u003c/p\u003e\n"],["\u003cp\u003eSyslog-ng needs to be installed and configured on macOS to export syslog data, which is done through editing the \u003ccode\u003esyslog-ng.conf\u003c/code\u003e file to route logs to the Bindplane Agent's IP and port.\u003c/p\u003e\n"],["\u003cp\u003eThe parser uses grok patterns to map extracted data from macOS syslog messages into the Unified Data Model (UDM), categorizing events as either \u003ccode\u003eSTATUS_UPDATE\u003c/code\u003e or \u003ccode\u003eGENERIC_EVENT\u003c/code\u003e based on the presence of a hostname.\u003c/p\u003e\n"],["\u003cp\u003ePrerequisites include having a Google Security Operations instance, root access to the Auditd host, and proper installation of rsyslog and Bindplane Agent, in addition to having the corresponding firewall ports open.\u003c/p\u003e\n"]]],[],null,["# Collect Apple macOS syslog data\n===============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser uses grok patterns to extract fields from Apple macOS syslog messages and populates the Unified Data Model (UDM) with the extracted values, including the timestamp, hostname, intermediary host, command line, process ID, and description. The parser categorizes the event as `STATUS_UPDATE` if a hostname is present; otherwise, it assigns the category `GENERIC_EVENT` to the event. Finally, the parser enriches the UDM event with vendor and product information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have root access to the Auditd host.\n- Ensure that you installed rsyslog on the Auditd host.\n- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agent**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`.\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`.\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane Agent is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: auditd\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart Bindplane Agent to apply the changes using the following command:\n `sudo systemctl bindplane restart`\n\nExporting Syslog from macOS\n---------------------------\n\n1. Install `syslog-ng` using Homebrew:\n\n brew install syslog-ng\n\n2. Configure syslog-ng:\n\n - Edit `syslog-ng.conf` file (usually located at `/usr/local/etc/syslog-ng/syslog-ng.conf`):\n\n sudo vi /usr/local/etc/syslog-ng/syslog-ng.conf\n\n - Add the following configuration block.\n - Depending on the Bindplane configuration, you can change the delivery method to `tcp` or leave it as `udp`.\n - Replace `\u003cBindPlaneAgent_IP\u003e` and `\u003cBindPlaneAgent_Port\u003e` with the actual IP address and port of your Bindplane Agent:\n\n source s_local { system(); internal(); };\n destination d_secops { tcp(\"\u003cBindPlaneAgent_IP\u003e:\u003cBindPlaneAgent_Port\u003e\"); };\n log { source(s_local); destination(d_secops); };\n\n3. Restart the `syslog-ng` service:\n\n brew services restart syslog-ng\n\n4. Check the status of `syslog-ng` (you should see `syslog-ng` listed as started):\n\n brew services list\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]