Idea ID: 2776349

APPLE devices, MacOSX, IOS, we need support for their new Unified Logging with our smart connectors

Status : Waiting for Votes
Waiting for Votes
See status update history
over 1 year ago

Apple has gone to Unified Logging with all of their products and OS's  it's done in memory and databases with tools to read and needs access via API's.  They send little to nothing via syslog these days. They have tools to read an analyse these logs on the hosts themselves. We need ability to pull or push these logs out to our Logger/ESM .


  • We need security related events, any userid related activity that would help our Interset/Arcsight Intelligence find bad behaviour. Anything that would track abnormal activity of the user or the endpoint itself. The unified logiing is across the entire Apple platform and has lots of IOT pieces.

  • Wayne,

    Ideally authentications (logon/logoffs) and file accesses would be the first types of events that can be parsed.

  • Hi Idea Contributors,

    We are evaluating support for Apple Unified Logging and would like to ask all of you who have voted for this enhancement to help us with potentially fulfilling it. 

    One of our challenges is to better understand which events generated by these Apple devices actually should be parsed for relevant security information. This would help us evaluate the scope of what this enhancement would entail.

    We would be grateful if someone can help with determining the specific events that should be parsed.


    Wayne Dalesio

    ArcSight Product Management