Skip to main content
Skip table of contents

No Mac logs being received

Log retrieval with the Mac ULS logging system has been officially supported since version 4.3.0 of Wazuh. If your mac logs are not appearing in event search it is necessary to check that the following config block is in your Mac wazuh client configuration.

CODE 
<localfile>
  <location>macos</location>
  <log_format>macos</log_format>
  <query type="trace,log,activity" level="info">(process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")</query>
</localfile>

Once this has been added to the agent configuration, you must restart the agent for the collection to begin.

Reference: https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/configuration.html#macos

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close