이 파서는 grok 패턴을 사용하여 Apple macOS syslog 메시지에서 필드를 추출하고 타임스탬프, 호스트 이름, 중개 호스트, 명령줄, 프로세스 ID, 설명 등 추출된 값으로 통합 데이터 모델 (UDM)을 채웁니다. 파서는 호스트 이름이 있으면 이벤트를 STATUS_UPDATE로 분류하고, 그렇지 않으면 이벤트에 GENERIC_EVENT 카테고리를 할당합니다. 마지막으로 파서는 공급업체 및 제품 정보로 UDM 이벤트를 보강합니다.
시작하기 전에
Google Security Operations 인스턴스가 있는지 확인합니다.
Auditd 호스트에 대한 루트 액세스 권한이 있는지 확인합니다.
Auditd 호스트에 rsyslog를 설치했는지 확인합니다.
systemd가 있는 Windows 2012 SP2 이상 또는 Linux 호스트가 있는지 확인합니다.
Windows 설치의 경우 다음 스크립트를 실행합니다. msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux 설치의 경우 다음 스크립트를 실행합니다. sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Syslog를 수집하여 Google SecOps로 전송하도록 Bindplane 에이전트 구성
Bindplane 에이전트가 설치된 머신에 액세스합니다.
다음과 같이 config.yaml 파일을 수정합니다.
receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: auditd
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
다음 명령어를 사용하여 변경사항을 적용하도록 Bindplane 에이전트를 다시 시작합니다.
sudo systemctl bindplane restart
macOS에서 Syslog 내보내기
Homebrew를 사용하여 syslog-ng를 설치합니다.
brewinstallsyslog-ng
syslog-ng를 구성합니다.
syslog-ng.conf 파일 (일반적으로 /usr/local/etc/syslog-ng/syslog-ng.conf에 있음)을 수정합니다.
sudovi/usr/local/etc/syslog-ng/syslog-ng.conf
다음 구성 블록을 추가합니다.
Bindplane 구성에 따라 전송 방법을 tcp로 변경하거나 udp로 그대로 둘 수 있습니다.
<BindPlaneAgent_IP> 및 <BindPlaneAgent_Port>를 Bindplane 에이전트의 실제 IP 주소 및 포트로 바꿉니다.
description 필드의 값은 grok 패턴을 사용하여 원시 로그의 data 필드에서 추출됩니다.
데이터
read_only_udm.principal.hostname
호스트 이름은 grok 패턴을 사용하여 data 필드에서 추출됩니다.
데이터
read_only_udm.intermediary.hostname
중개자 호스트 이름은 grok 패턴을 사용하여 data 필드에서 추출됩니다.
데이터
read_only_udm.principal.process.command_line
프로세스 명령줄은 grok 패턴을 사용하여 data 필드에서 추출됩니다.
데이터
read_only_udm.principal.process.pid
프로세스 ID는 grok 패턴을 사용하여 data 필드에서 추출됩니다.
데이터
read_only_udm.metadata.event_timestamp
이벤트 타임스탬프는 grok 패턴을 사용하여 data 필드에서 추출되고 타임스탬프 객체로 변환됩니다. 파서에서 'MacOS'로 하드코딩됩니다. 파서에서 'Apple'로 하드코딩됩니다. 로그에서 호스트 이름이 추출되면 'STATUS_UPDATE'로 설정하고, 그렇지 않으면 'GENERIC_EVENT'로 설정합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis guide details how to collect Apple macOS syslog data for Google SecOps, utilizing a parser that extracts key information like timestamp, hostname, and process details.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves using Bindplane Agent to ingest syslog data, which requires configuration of \u003ccode\u003econfig.yaml\u003c/code\u003e to specify the receiver port, customer ID, and credential details, and then restarting it.\u003c/p\u003e\n"],["\u003cp\u003eSyslog-ng needs to be installed and configured on macOS to export syslog data, which is done through editing the \u003ccode\u003esyslog-ng.conf\u003c/code\u003e file to route logs to the Bindplane Agent's IP and port.\u003c/p\u003e\n"],["\u003cp\u003eThe parser uses grok patterns to map extracted data from macOS syslog messages into the Unified Data Model (UDM), categorizing events as either \u003ccode\u003eSTATUS_UPDATE\u003c/code\u003e or \u003ccode\u003eGENERIC_EVENT\u003c/code\u003e based on the presence of a hostname.\u003c/p\u003e\n"],["\u003cp\u003ePrerequisites include having a Google Security Operations instance, root access to the Auditd host, and proper installation of rsyslog and Bindplane Agent, in addition to having the corresponding firewall ports open.\u003c/p\u003e\n"]]],[],null,["# Collect Apple macOS syslog data\n===============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser uses grok patterns to extract fields from Apple macOS syslog messages and populates the Unified Data Model (UDM) with the extracted values, including the timestamp, hostname, intermediary host, command line, process ID, and description. The parser categorizes the event as `STATUS_UPDATE` if a hostname is present; otherwise, it assigns the category `GENERIC_EVENT` to the event. Finally, the parser enriches the UDM event with vendor and product information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have root access to the Auditd host.\n- Ensure that you installed rsyslog on the Auditd host.\n- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agent**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`.\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`.\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane Agent is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: auditd\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart Bindplane Agent to apply the changes using the following command:\n `sudo systemctl bindplane restart`\n\nExporting Syslog from macOS\n---------------------------\n\n1. Install `syslog-ng` using Homebrew:\n\n brew install syslog-ng\n\n2. Configure syslog-ng:\n\n - Edit `syslog-ng.conf` file (usually located at `/usr/local/etc/syslog-ng/syslog-ng.conf`):\n\n sudo vi /usr/local/etc/syslog-ng/syslog-ng.conf\n\n - Add the following configuration block.\n - Depending on the Bindplane configuration, you can change the delivery method to `tcp` or leave it as `udp`.\n - Replace `\u003cBindPlaneAgent_IP\u003e` and `\u003cBindPlaneAgent_Port\u003e` with the actual IP address and port of your Bindplane Agent:\n\n source s_local { system(); internal(); };\n destination d_secops { tcp(\"\u003cBindPlaneAgent_IP\u003e:\u003cBindPlaneAgent_Port\u003e\"); };\n log { source(s_local); destination(d_secops); };\n\n3. Restart the `syslog-ng` service:\n\n brew services restart syslog-ng\n\n4. Check the status of `syslog-ng` (you should see `syslog-ng` listed as started):\n\n brew services list\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
