How To Configure MacOS To Forward Logs To EventTracker - Netsurion

Transcription

How-To GuideConfiguring macOS to Forward Logs toEventTrackerEventTracker v9.3 and abovePublication Date:December 15, 2021 Copyright Netsurion. All Rights Reserved.1

AbstractThis guide provides instructions to configure macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) togenerate and forward logs for critical events. After EventTracker is configured to collect and parse these logs,dashboard, and reports can be configured to monitor macOS.ScopeThe configuration details in this guide are consistent with EventTracker version v9.3 or above, and macOS.AudienceThe Administrators who are assigned the task to monitor macOS events using EventTracker. Copyright Netsurion. All Rights Reserved.2

Table of ContentsTable of Contents31.Overview42.Prerequisites43.Configuring macOS to Forward Logs to EventTracker43.1Configuring macOS to Forward Logs to a Syslog Server43.2Configuring ETSmacOSLogForwarder manually on the Client Machine73.2.1GUI Installation73.2.2Command line Installation93.3Configuring ETSmacOSLogForwarder using the Munki Package Manager3.4Verifying ETSmacOSLogForwarder Installation103.5ETSmacOSLogForwarder Uninstallation11About Netsurion Copyright Netsurion. All Rights Reserved.9123

1. OverviewApple Macintosh Operating System (macOS) contains numerous log files (events) sent by various systemprocesses and applications. These logs can be forwarded to the syslog server.With EventTracker, you can monitor the macOS events from a single view. EventTracker checks the statusand availability of macOS for critical processes and consolidates all the syslog.EventTracker can generate the flex reports and can also trigger alerts whenever it detects any suspiciousactivities. These alerts and flex reports will help you analyze login and logout activities, authenticationfailure, and any kind of administrator activities.2. Prerequisites macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) should be configured to forward the logs.Ensure the syslog port which is provided during the integration is open between macOS and perimeterfirewalls.It is strongly recommended to use TLS TCP (syslog over TLS) based connection with EventTracker.EventTracker syslog port should be configured for TLS. Please follow this guide. You can also use TCP orUDP-based connection depending on your need.Add an exception for syslog port while integrating with firewall, (if exists in between) macOS andEventTracker Manager. 3. Configuring macOS to Forward Logs to EventTrackerNote: For installation and upgrade follow the below steps.3.1 Configuring macOS to Forward Logs to a Syslog Server1.2.3.4.5.Download the integrator package from the portal wnload the file on the macOS server machine where you want to create the package and pushthe package to all the macOS systems.Go to the Utility folder and open the Terminal.Change the directory to where ETSmacOSLogForwarder is located.Make sure the below file has executable er Copyright Netsurion. All Rights Reserved.4

6.If the file is not executable, use the following commands to make it executable.chmod a x ETSmacOSLogForwarder/ETSmacOSLogForwarderchmod a x d a x ck the ETSmacOSLogForwarder script in ETSmacOSLogForwarder.A Terminal window opens.8. Provide the EventTracker Manager Name/IP Address.9. Provide the EventTracker Manager syslog port number.10. Choose Protocol for syslog. Copyright Netsurion. All Rights Reserved.5

Provide the protocol to be used for the syslog messages to forward. By default, the TLS TCP protocol(syslog over TLS) will be configured. Ensure the TLS TCP protocol is enabled on the EventTrackerManager.Following is the enumeration for each protocol:Protocol numberProtocol1TLS TCP (syslog over TLS)2TCP (Transmission control protocol)3UDP (User Datagram Protocol)11. Provide the Tenant name.Note: Tenant name should not contain any space.12. After configuring, close the terminal window.13. Check the ETSmacOSLogForwarder folder to ensure the ETSmacOSLogForwarder Tenant .pkg fileis created. Copyright Netsurion. All Rights Reserved.6

3.2 Configuring ETSmacOSLogForwarder manually on the Client Machine3.2.1 GUI Installation1. Copy the ETSmacOSLogForwarder Tenant .pkg file to the client Mac machine.2. Go to the Utility folder and open the Terminal.3. Navigate to the directory where the ETSmacOSLogForwarder Tenant .pkg file is located usingthe cd command.4. Click the ETSmacOSLogForwarder Tenant .pkg file and proceed as shown in the followingimages.5. Click Continue.6. Select your system disk to install software and click Continue. Copyright Netsurion. All Rights Reserved.7

7. Click Install to install the software.8. Provide the Admin Username and Password. Click Install Software. Copyright Netsurion. All Rights Reserved.8

9. After installation is complete, click the Close button.3.2.2 Command line Installation1. Open the Terminal and go to the path containing the pkg file.2. Run the following command using the admin privilege.Sudo installer -pkg ETSmacOSLogForwarder Tenant .pkg -target /3.3 Configuring ETSmacOSLogForwarder using the Munki PackageManagerIf you have Munki package manager configured in your environment, use the following method to addthe package to the Munki repo.1. Go to the Utility folder and open the Terminal.2. Navigate to the directory where the ETSmacOSLogForwarder Tenant .pkg file is located using thecd command.3. Enter the following command to import the package to the Munki repository.Munkiimport ETSmacOSLogForwarder Tenant .pkg Copyright Netsurion. All Rights Reserved.9

4. Fill in the details as mentioned in the above image.5. To create a client manifest for the ETSmacOSLogForwarder Tenant .pkg package, enter thecommand:manifestutil6. Add package in the manifest using the following command.add-pkg ETSmacOSLogForwarder Tenant –manifest site default.For installing and configuring the Munki repository navigate to the tion-Setup3.4 Verifying ETSmacOSLogForwarder Installation1. Open the Terminal and enter the following command to check if the following files were created.sudo ls /etc/ETSmacOSLogForwarder/sudo ls /var/log/ETSmacOSLogForwarder/2. Check whether the ETSmacOSLogForwarder Service is loaded and running.sudo launchctl list grep ETSmacOSLogForwarder Copyright Netsurion. All Rights Reserved.10

3.5 ETSmacOSLogForwarder UninstallationTo uninstall the macOS log forwarder, run the following command in the terminal.sudo sh staller Copyright Netsurion. All Rights Reserved.11

About NetsurionFlexibility and security within the IT environment are two of the most important factors driving businesstoday. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach ofcombining purpose-built technology and an ISO-certified security operations center gives customers theultimate flexibility to adapt and grow, all while maintaining a secure environment.Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerabilityscanning, intrusion detection and more; all delivered as a managed or co-managed service.Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multilocation businesses that optimize network security, agility, resilience, and compliance for branch locations.Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has themodel to help drive your business forward. To learn more visit netsurion.com or follow uson Twitter or LinkedIn. Netsurion is #23 among MSSP Alert’s 2021 Top 250 MSSPs.Contact UsCorporate HeadquartersNetsurionTrade Centre South100 W. Cypress Creek RdSuite 530Fort Lauderdale, FL 33309Contact NumbersEventTracker Enterprise SOC: 877-333-1433 (Option 2)EventTracker Enterprise for MSPs SOC: 877-333-1433 (Option 3)EventTracker Essentials SOC: 877-333-1433 (Option 4)EventTracker Software Support: 877-333-1433 (Option 5)https://www.netsurion.com/eventtracker-support Copyright Netsurion. All Rights Reserved.12

Provide the protocol to be used for the syslog messages to forward. By default, the TLS TCP protocol (syslog over TLS) will be configured. Ensure the TLS TCP protocol is enabled on the EventTracker Manager. Following is the enumeration for each protocol: Protocol number Protocol. 1 TLS TCP (syslog over TLS) 2 TCP (Transmission control protocol)