search
Knowledge BaseRelease NotesRequest Demo

MacOS System Logs to S3 via Fluentd

hashtag
Overview

circle-exclamation

Consider using Fluent Bit instead of Fluentd to forward logs to Panther. Fluent Bit is easier to set up and less resource intensive than Fluentd.

This guide provides a method to deliver MacOS System Logs to S3 using Fluentd. There are two different pipeline flows: via an AWS Firehose delivery stream and directly to an AWS S3 bucket

hashtag
Prerequisites

This guide assumes that an S3 bucket or Firehose has already been created. If you need to create either of these resources, please see the Getting Started with Fluentd guide. If you have already provisioned the resources, you can adapt the guide below to fit your needs.

hashtag
Setup Fluentd

hashtag
Step 1. Install Fluentd (td-agent)

Follow the Fluentd installation instructionsarrow-up-right for the machine from which you want to collect MacOS System Logs. This guide will specifically cover using td-agent as the service to collect logs.

hashtag
Step 2. Install the Fluent Plugin for MacOS Logs

Use the command below to install the Fluentd MacOS plugin.

sudo /opt/td-agent/bin/fluent-gem install fluent-plugin-macos-log

Further documentation about this plugin can be found on Githubarrow-up-right.

hashtag
Step 3. Edit Fluentd Configuration

The configuration information that is included by default can be removed if not in use. Use the Fluentd configuration below and add your aws_key_id, aws_sec_key, s3_bucket, and s3_region information.

Fluentd and td-agent will attempt to run services on conflicting ports. If this is a new installation you will need to change the ports in the configuration file or remove the default configuration from the file.

hashtag
Step 4. Point Fluentd to Configuration File and Validate

hashtag
Step 5. Verify Logging

After a few minutes have passed, verify that events are being logged to the S3 bucket. Logs should be showing up under the macos/ prefix within the bucket.

hashtag
Panther Console

hashtag
Step 1. Create a Custom Schema

Go to Configure > Schemas. Click +New Schema then enter the values below into the schema fields:

Name: Custom.MacOSSystemLogs Description: MacOS System Logs for Application, Security, System

hashtag
Step 2. Onboard the S3 bucket

Follow the S3 source onboarding documentation and use the S3 Bucket used in the previous setup.

Select the log type Custom.MacOSSystemLogs and prefix macos/ in the onboarding steps. After completing the bucket onboarding, data should now be flowing into Panther!

PreviousGeneral log forwarding via FluentdNextSyslog to S3 via Fluentd

Last updated

Was this helpful?