Collecting Mac OS log files
You want to get log data from a Darwin (Mac OS X) device into an observability platform.
Solution
In order to monitor logs on the Darwin (Mac OS X) system, you can use a local copy of Splunk Enterprise or an OpenTelemetry Collector to forward logs and metrics to Splunk Observability Cloud and the Splunk platform. What logs you need to monitor depends on the applications, asset management, vpn, and security services. The following are some examples:
- System Application Logs:
- /Library/Logs
- Analytics:
- /var/log/DiagnosticMessages
- Reports:
- /Library/Logs/DiagnosticReports
- Jamf:
- /var/log/jamf.log
- CrashPlan:
- /Library/Logs/CrashPlan/service.log.0
- System Logs:
- /var/log/system.log
- /var/log/*
Splunk Enterprise
If you are running a local instance of the Splunk platform on your system, these files can be monitored by adding a file and directory input.
Splunk Observability Cloud
You can also collect log and host metrics with the OpenTelemetry Collector using the filelog receiver exporting logs to a Splunk HEC endpoint. The following is an example of a file log receiver yaml configuration:
receivers: filelog: include: [ /var/log/system.log ] start_at: beginning exporters: # Logs splunk_hec/logs: token: "${SPLUNK_HEC_TOKEN}" endpoint: "${SPLUNK_HEC_URL}" index: "logs" max_connections: 20 processors: batch: memory_limiter: check_interval: 2s limit_mib: ${SPLUNK_MEMORY_LIMIT_MIB} # Add optional environment metadata to logs and traces. resource/add_environment: attributes: - action: insert value: HW.Laptop key: deployment.environment service: logs: receivers: [fluentforward, otlp, filelog] processors: - memory_limiter - batch - resource/add_environment exporters: [splunk_hec/logs]
Validation
After you have your logs configured to export to your Splunk instance, navigate to search, and check the index the logs were sent to.
Troubleshooting
If you receive a 401: Unauthorized error, make sure you have the environment variables set for SPLUNK_HEC_TOKEN and the SPLUNK_HEC_URL endpoint. In the example error below, the SPLUNK_HEC_URL was not set and the export of the logs failed. You need to stop the Collector and restart it with the environment variables set.
2023-06-29T08:15:34.473-0700 error exporterhelper/queued_retry.go:401 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "logs", "name": "splunk_hec/logs", "error": "Permanent error: \"HTTP/2.0 401 Unauthorized\\r\\nContent-Length: 0\\r\\nDate: Thu, 29 Jun 2023 15:15:34 GMT\\r\\nServer: istio-envoy\\r\\nWww-Authenticate: Basic realm=\\\"Splunk\\\"\\r\\nX-Envoy-Upstream-Service-Time: 3\\r\\n\\r\\n\"", "dropped_items": 1} go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send
This example command shows how to start the OpenTelemetry Collector from the /etc/otel/collector/ directory. This includes the environment variables used in the example agent_yaml config.
SPLUNK_HEC_URL=https://splunk:8088/services/collector SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-0000000000000 SPLUNK_API_TOKEN=c2lnbmFsZnh0b2tlbgo=== SPLUNK_ACCESS_TOKEN=c2lnbmFsZnh0b2tlbgo=== SPLUNK_API_URL=https://api.us0.signalfx.com SPLUNK_INGEST_URL=https://ingest.us0.signalfx.com/ SPLUNK_TRACE_URL=https://ingest.us0.signalfx.com/v2/trace SPLUNK_COLLECTD_DIR=/usr/local/opt/collectd SPLUNK_REALM=us0 ./otelcol --config=/etc/otel/collector/agent_config.yaml
Resources
- Apple Docs: Find text in log messages and reports in Console on Mac
- Apple Docs: Find log messages and activities in Console on Mac
- Blog: Best practices for MacOS logging & monitoring
- GitHub: otel-collector-config.yml
- GitHub: filelogreceiver
- GitHub: otel-collector-config.yml - An example yaml with a file log receiver and multiple Splunk source types
Example agent_config.yaml - Host metrics and logs
This example configuration is set up to send data to both Splunk Observability Cloud using the host metrics receiver and logs to Splunk Enterprise using the file log receiver.
# If the collector is installed without the Linux/Windows installer script, the following # environment variables are required to be manually defined or configured below: # - SPLUNK_ACCESS_TOKEN: The Splunk access token to authenticate requests # - SPLUNK_API_URL: The Splunk API URL, e.g. https://api.us0.signalfx.com # - SPLUNK_BUNDLE_DIR: The path to the Smart Agent bundle, e.g. /usr/lib/splunk-otel-collector/agent-bundle # - SPLUNK_COLLECTD_DIR: The path to the collectd config directory for the Smart Agent, e.g. /usr/lib/splunk-otel-collector/agent-bundle/run/collectd # - SPLUNK_HEC_TOKEN: The Splunk HEC authentication token # - SPLUNK_HEC_URL: The Splunk HEC endpoint URL, e.g. https://ingest.us0.signalfx.com/v1/log # - SPLUNK_INGEST_URL: The Splunk ingest URL, e.g. https://ingest.us0.signalfx.com # - SPLUNK_TRACE_URL: The Splunk trace endpoint URL, e.g. https://ingest.us0.signalfx.com/v2/trace extensions: health_check: endpoint: 0.0.0.0:13133 http_forwarder: ingress: endpoint: 0.0.0.0:6060 egress: endpoint: "${SPLUNK_API_URL}" # Use instead when sending to gateway #endpoint: "${SPLUNK_GATEWAY_URL}" smartagent: bundleDir: "${SPLUNK_BUNDLE_DIR}" collectd: configDir: "${SPLUNK_COLLECTD_DIR}" zpages: #endpoint: 0.0.0.0:55679 memory_ballast: # In general, the ballast should be set to 1/3 of the collector's memory, the limit # should be 90% of the collector's memory. # The simplest way to specify the ballast size is set the value of SPLUNK_BALLAST_SIZE_MIB env variable. size_mib: ${SPLUNK_BALLAST_SIZE_MIB} receivers: filelog: include: [ /var/log/system.log ] start_at: beginning fluentforward: endpoint: 127.0.0.1:8006 hostmetrics: collection_interval: 10s scrapers: cpu: disk: filesystem: memory: network: # System load average metrics https://en.wikipedia.org/wiki/Load_(computing) load: # Paging/Swap space utilization and I/O metrics paging: # Aggregated system process count metrics processes: # System processes metrics, disabled by default # process: jaeger: protocols: grpc: endpoint: 0.0.0.0:14250 thrift_binary: endpoint: 0.0.0.0:6832 thrift_compact: endpoint: 0.0.0.0:6831 thrift_http: endpoint: 0.0.0.0:14268 otlp: protocols: grpc: endpoint: 0.0.0.0:4317 http: endpoint: 0.0.0.0:4318 # This section is used to collect the OpenTelemetry Collector metrics # Even if just a Splunk APM customer, these metrics are included prometheus/internal: config: scrape_configs: - job_name: 'otel-collector' scrape_interval: 10s static_configs: - targets: ['0.0.0.0:8888'] metric_relabel_configs: - source_labels: [ __name__ ] regex: '.*grpc_io.*' action: drop smartagent/signalfx-forwarder: type: signalfx-forwarder listenAddress: 0.0.0.0:9080 smartagent/processlist: type: processlist signalfx: endpoint: 0.0.0.0:9943 # Whether to preserve incoming access token and use instead of exporter token #default = false access_token_passthrough: true zipkin: endpoint: 0.0.0.0:9411 processors: batch: # Enabling the memory_limiter is strongly recommended for every pipeline. # Configuration is based on the amount of memory allocated to the collector. # For more information about memory limiter, see # https://github.com/open-telemetry/opentelemetry-collector/blob/main/processor/memorylimiter/README.md memory_limiter: check_interval: 2s limit_mib: ${SPLUNK_MEMORY_LIMIT_MIB} # Detect if the collector is running on a cloud system, which is important for creating unique cloud provider dimensions. # Detector order is important: the `system` detector goes last so it can't preclude cloud detectors from setting host/os info. # Resource detection processor is configured to override all host and cloud attributes because instrumentation # libraries can send wrong values from container environments. # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/resourcedetectionprocessor#ordering resourcedetection: detectors: [system] override: true # Optional: The following processor can be used to add a default "deployment.environment" attribute to the logs and # traces when it's not populated by instrumentation libraries. # If enabled, make sure to enable this processor in the pipeline below. resource/add_environment: attributes: - action: insert value: HW.Laptop key: deployment.environment exporters: # Traces sapm: access_token: "${SPLUNK_ACCESS_TOKEN}" endpoint: "${SPLUNK_TRACE_URL}" # Metrics + Events signalfx: access_token: "${SPLUNK_ACCESS_TOKEN}" api_url: "${SPLUNK_API_URL}" ingest_url: "${SPLUNK_INGEST_URL}" # Use instead when sending to gateway #api_url: http://${SPLUNK_GATEWAY_URL}:6060 #ingest_url: http://${SPLUNK_GATEWAY_URL}:9943 sync_host_metadata: true correlation: # Logs splunk_hec/logs: token: "${SPLUNK_HEC_TOKEN}" endpoint: "${SPLUNK_HEC_URL}" index: "logs" max_connections: 20 # tls: # insecure_skip_verify, default: false # If using a self-signed certificate on the Splunk instance this flag is set to true. # insecure_skip_verify: true # Send to gateway # otlp: # endpoint: "${SPLUNK_GATEWAY_URL}:4317" # tls: # insecure: true # Debug logging: loglevel: debug service: extensions: [health_check, http_forwarder, zpages, memory_ballast, smartagent] pipelines: traces: receivers: [jaeger, otlp, smartagent/signalfx-forwarder, zipkin] processors: - memory_limiter - batch - resourcedetection - resource/add_environment exporters: [sapm, signalfx] # Use instead when sending to gateway #exporters: [otlp, signalfx] metrics: receivers: [hostmetrics, otlp, signalfx, smartagent/signalfx-forwarder] processors: [memory_limiter, batch, resourcedetection] exporters: [signalfx] # Use instead when sending to gateway #exporters: [otlp] metrics/internal: receivers: [prometheus/internal] processors: [memory_limiter, batch, resourcedetection] # When sending to gateway, at least one metrics pipeline needs # to use signalfx exporter so host metadata gets emitted exporters: [signalfx] # Use instead when sending to gateway #exporters: [otlp] logs: receivers: [fluentforward, otlp, filelog] processors: - memory_limiter - batch - resourcedetection - resource/add_environment exporters: [splunk_hec/logs] # # Use instead when sending to gateway # #exporters: [otlp]