Mac Audit Logs

Supported OS Mac OS

Intégration1.0.0
Mac Audit Logs - Overview
Mac Audit Logs - Overview
Mac Audit Logs - Overview
Mac Audit Logs - Overview
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Mac Audit Logs captures detailed information about system events, user actions, network and security-related activities. These logs are crucial for monitoring system integrity, identifying unauthorized access, and ensuring adherence to security policies and regulations.

This integration provides enrichment and visualization for various log types, including:

  • Authentication and Authorization events
  • Administrative activities
  • Network events
  • File Access activities
  • Input/Output Control
  • IPC (Inter-Process Communication)

This integration collects Mac audit logs and sends them to Datadog for analysis, providing visual insights through out-of-the-box dashboards and the Log Explorer. It also helps monitor and respond to security threats with ready-to-use Cloud SIEM detection rules.

Setup

Installation

To install the Mac Audit Logs integration, run the following Agent installation command and follow the steps below. For more information, see the Integration Management documentation.

For Mac, run:

sudo datadog-agent integration install datadog-mac-audit-logs==1.0.0

Configuration

Configure BSM Auditing on Mac

Note: The following steps are required for the Mac version >=14.

  1. Copy the configurations from audit_control.example to audit_control

    cp /etc/security/audit_control.example /etc/security/audit_control

  2. Update the configuration to specify the event types that should be audited. Execute the command below to audit all event types:

    sudo sed -i '' 's/^flags:.*/flags:all/' /etc/security/audit_control && \
sudo sed -i '' 's/^naflags:.*/naflags:all/' /etc/security/audit_control

  3. Restart auditd service:

    /bin/launchctl enable system/com.apple.auditd

  4. Restart the Mac.

Validation

Run the Agent’s status subcommand and look for mac_audit_logs under the Checks section.

Data Collected

Metrics

The Mac Audit Logs integration does not include any metrics.

Log Collection

  1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file:

    logs_enabled: true

  2. Configure mac_audit_logs.d/conf.yaml file to start collecting Mac audit logs.

    See the sample mac_audit_logs.d/conf.yaml for available configuration options.

    init_config:
instances:
  - MONITOR: true
    AUDIT_LOGS_DIR_PATH: /var/audit
    min_collection_interval: 15
logs:
  - type: integration
    service: mac-audit-logs
    source: mac-audit-logs

    Note:

    • Do not change the service and source values, as they are essential for proper log pipeline processing.
    • Default value for AUDIT_LOGS_DIR_PATH is /var/audit. In case of different BSM audit logging directory, please check dir value in /etc/security/audit_control file.

  3. Restart the Agent.

Events

The Mac Audit Logs integration does not include any events.

Troubleshooting

Need help? Contact Datadog support.