Improving text-based logs with Unified Logging
Text-based logs have long been a staple of IT and security teams seeking insight into their Mac and Unix systems. However, these logs are often huge, numerous, and extremely verbose— making relevant information hard to find. Unified Logging was brought to macOS Sierra (10.12) in September 2016 as a replacement to the typical Unix-style logs to help address some of these shortcomings. The Unified Log gave administrators one tool to dig into all the system and application logs at once while allowing them to search and query into them for relevant information. Now they had one place to quickly get a picture of the device:
- Authentication attempts
- Account creation/deletion
- Password changes
- SSH Activity
- AirDrop Activity
- And more
The downside to Unified Logging
The biggest downside of this new Unified Log was that it was bound to the device. An administrator would have to connect to the device in question and use Console to query the logs. This introduced a lot of complexities, as centralizing log data is such a common need for organizations.
Jamf Protect centralizes Mac log data
With Jamf Protect, we help organizations once again centralize all of their Mac log data and allow them to harness all the power that came from the Unified Log’s querying capabilities.
Let’s dig into some examples of how to get real value from the Unified Log and how Jamf Protect can help operationalize that even further.
Detecting outbound AirDrop transfers and logging them
Locally, we can easily find AirDrop activity in Console:
- Open the Console
- In the Action menu of Console, select “Include Info Messages” to view operational information
- Now inspect the available logs and search for “Airdrop.”
- Next, transfer a file and then search for that file name in the logs. Note the message in which that file was resident.
- Note that the Process was sharingd and the subsystem was com.apple.sharingd
- Enter those into the console to ensure we narrow down to just a few items out of the massive log. Note that the message that contains the file name starts with “startSending” and enter that as additional search criteria in the top search bar.
We can take this to the command line as well.
- The “log show” and “log stream” commands are the Command Line equivalent of Console.app.
- The syntax for queries isn’t quite the same, so we’ll craft our query predicate for the command line syntax using “log help predicates” for some much-needed help.
We end up with:
log stream --level=info --predicate "process == 'sharingd' and subsystem = 'com.apple.sharing' and category = 'AirDrop' and composedMessage BEGINSWITH[cd] 'startSending'"
Both of these are great so far, but as discussed earlier they are limited to being run locally on an end user’s computer. They are often used during forensic investigations, as seen in the recent talk (by the CrowdStrike Services team) at Objective By The Sea 3.0.
What if an organization wants this type of real-time visibility streamed to a central location?
Jamf Protect can help.
Simply take the command line predicate above (note: predicate only), and configure the “Unified Logging” section of Jamf Protect to get this information sent to your centralized SIEM whenever the configured predicate is matched in the Unified Log.
After this configuration is synced to the agent, we can trigger another AirDrop transfer and are rewarded with the reported log in JSON format including relevant host information like hostname, serial number and IPs.
The most important part of the event is the information about the “Match.” This includes all the tags for log data that matched the query and all of the data that would have been reported by the command line tools and in Console.app.
In this sample report below, we can see that we’ve detected an Airdrop transfer being started, in which a file called “Secrets.png” is being shared from hostname XCode-Joshua’s MacBook Pro to a device called BuckiPhone!
Of course, this is just the tip of the iceberg. Once you start digging into all of the data stored within the Unified Log, you are bound to find valuable information for your next incident response or compliance program— and potentially even troubleshoot the system.
Put security best practices to the test.