This parser uses grok patterns to extract fields from Apple macOS syslog messages and populates the Unified Data Model (UDM) with the extracted values, including the timestamp, hostname, intermediary host, command line, process ID, and description. The parser categorizes the event as STATUS_UPDATE if a hostname is present; otherwise, it assigns the category GENERIC_EVENT to the event. Finally, the parser enriches the UDM event with vendor and product information.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you have root access to the Auditd host.
Ensure that you installed rsyslog on the Auditd host.
Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings>Collection Agent.
Download the Ingestion Authentication File.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings>Profile.
Copy and save the Customer ID from the Organization Details section.
Install Bindplane Agent
For Windows installation, run the following script: msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet.
For Linux installation, run the following script: sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh.
Additional installation options can be found in this installation guide.
Configure Bindplane Agent to ingest Syslog and send to Google SecOps
Access the machine where Bindplane Agent is installed.
Edit the config.yaml file as follows:
receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: auditd
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
Restart Bindplane Agent to apply the changes using the following command:
sudo systemctl bindplane restart
Exporting Syslog from macOS
Install syslog-ng using Homebrew:
brewinstallsyslog-ng
Configure syslog-ng:
Edit syslog-ng.conf file (usually located at /usr/local/etc/syslog-ng/syslog-ng.conf):
sudovi/usr/local/etc/syslog-ng/syslog-ng.conf
Add the following configuration block.
Depending on the Bindplane configuration, you can change the delivery method to tcp or leave it as udp.
Replace <BindPlaneAgent_IP> and <BindPlaneAgent_Port> with the actual IP address and port of your Bindplane Agent:
Check the status of syslog-ng (you should see syslog-ng listed as started):
brewserviceslist
UDM Mapping Table
Log Field
UDM Mapping
Logic
data
read_only_udm.metadata.description
The value of the description field is extracted from the data field in the raw log using a grok pattern.
data
read_only_udm.principal.hostname
The hostname is extracted from the data field using a grok pattern.
data
read_only_udm.intermediary.hostname
The intermediary hostname is extracted from the data field using a grok pattern.
data
read_only_udm.principal.process.command_line
The process command line is extracted from the data field using a grok pattern.
data
read_only_udm.principal.process.pid
The process ID is extracted from the data field using a grok pattern.
data
read_only_udm.metadata.event_timestamp
The event timestamp is extracted from the data field using a grok pattern and converted to a timestamp object. Hardcoded to "MacOS" in the parser. Hardcoded to "Apple" in the parser. Set to "STATUS_UPDATE" if a hostname is extracted from the logs, otherwise set to "GENERIC_EVENT".
log_type
read_only_udm.metadata.log_type
Directly mapped from the log_type field of the raw log.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide details how to collect Apple macOS syslog data for Google SecOps, utilizing a parser that extracts key information like timestamp, hostname, and process details.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves using Bindplane Agent to ingest syslog data, which requires configuration of \u003ccode\u003econfig.yaml\u003c/code\u003e to specify the receiver port, customer ID, and credential details, and then restarting it.\u003c/p\u003e\n"],["\u003cp\u003eSyslog-ng needs to be installed and configured on macOS to export syslog data, which is done through editing the \u003ccode\u003esyslog-ng.conf\u003c/code\u003e file to route logs to the Bindplane Agent's IP and port.\u003c/p\u003e\n"],["\u003cp\u003eThe parser uses grok patterns to map extracted data from macOS syslog messages into the Unified Data Model (UDM), categorizing events as either \u003ccode\u003eSTATUS_UPDATE\u003c/code\u003e or \u003ccode\u003eGENERIC_EVENT\u003c/code\u003e based on the presence of a hostname.\u003c/p\u003e\n"],["\u003cp\u003ePrerequisites include having a Google Security Operations instance, root access to the Auditd host, and proper installation of rsyslog and Bindplane Agent, in addition to having the corresponding firewall ports open.\u003c/p\u003e\n"]]],[],null,["# Collect Apple macOS syslog data\n===============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser uses grok patterns to extract fields from Apple macOS syslog messages and populates the Unified Data Model (UDM) with the extracted values, including the timestamp, hostname, intermediary host, command line, process ID, and description. The parser categorizes the event as `STATUS_UPDATE` if a hostname is present; otherwise, it assigns the category `GENERIC_EVENT` to the event. Finally, the parser enriches the UDM event with vendor and product information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have root access to the Auditd host.\n- Ensure that you installed rsyslog on the Auditd host.\n- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agent**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`.\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`.\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane Agent is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: auditd\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart Bindplane Agent to apply the changes using the following command:\n `sudo systemctl bindplane restart`\n\nExporting Syslog from macOS\n---------------------------\n\n1. Install `syslog-ng` using Homebrew:\n\n brew install syslog-ng\n\n2. Configure syslog-ng:\n\n - Edit `syslog-ng.conf` file (usually located at `/usr/local/etc/syslog-ng/syslog-ng.conf`):\n\n sudo vi /usr/local/etc/syslog-ng/syslog-ng.conf\n\n - Add the following configuration block.\n - Depending on the Bindplane configuration, you can change the delivery method to `tcp` or leave it as `udp`.\n - Replace `\u003cBindPlaneAgent_IP\u003e` and `\u003cBindPlaneAgent_Port\u003e` with the actual IP address and port of your Bindplane Agent:\n\n source s_local { system(); internal(); };\n destination d_secops { tcp(\"\u003cBindPlaneAgent_IP\u003e:\u003cBindPlaneAgent_Port\u003e\"); };\n log { source(s_local); destination(d_secops); };\n\n3. Restart the `syslog-ng` service:\n\n brew services restart syslog-ng\n\n4. Check the status of `syslog-ng` (you should see `syslog-ng` listed as started):\n\n brew services list\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
