Collecting Mac OS log files
You want to get log data from a Darwin (Mac OS X) device into an observability platform.
How to use Splunk software for this use case
In order to monitor logs on the Darwin (Mac OS X) system, you can use a local copy of Splunk Enterprise or an OpenTelemetry Collector to forward logs and metrics to Splunk Observability Cloud and the Splunk platform. What logs you need to monitor depends on the applications, asset management, vpn, and security services. The following are some examples:
- System Application Logs:
- /Library/Logs
- Analytics:
- /var/log/DiagnosticMessages
- Reports:
- /Library/Logs/DiagnosticReports
- Jamf:
- /var/log/jamf.log
- CrashPlan:
- /Library/Logs/CrashPlan/service.log.0
- System Logs:
- /var/log/system.log
- /var/log/*
Splunk Enterprise
If you are running a local instance of the Splunk platform on your system, these files can be monitored by adding a file and directory input.
Splunk Observability Cloud
You can also collect log and host metrics with the OpenTelemetry Collector using the filelog receiver exporting logs to a Splunk HEC endpoint. The following is an example of a file log receiver yaml configuration:
receivers:
filelog:
include: [ /var/log/system.log ]
start_at: beginning
exporters:
# Logs
splunk_hec/logs:
token: "${SPLUNK_HEC_TOKEN}"
endpoint: "${SPLUNK_HEC_URL}"
index: "logs"
max_connections: 20
processors:
batch:
memory_limiter:
check_interval: 2s
limit_mib: ${SPLUNK_MEMORY_LIMIT_MIB}
# Add optional environment metadata to logs and traces.
resource/add_environment:
attributes:
- action: insert
value: HW.Laptop
key: deployment.environment
service:
logs:
receivers: [fluentforward, otlp, filelog]
processors:
- memory_limiter
- batch
- resource/add_environment
exporters: [splunk_hec/logs]
Validation
After you have your logs configured to export to your Splunk instance, navigate to search, and check the index the logs were sent to.
Troubleshooting
If you receive a 401: Unauthorized error, make sure you have the environment variables set for SPLUNK_HEC_TOKEN and the SPLUNK_HEC_URL endpoint. In the example error below, the SPLUNK_HEC_URL was not set and the export of the logs failed. You need to stop the Collector and restart it with the environment variables set.
2023-06-29T08:15:34.473-0700 error exporterhelper/queued_retry.go:401 Exporting failed. The error is not retryable. Dropping data.
{"kind": "exporter", "data_type": "logs", "name": "splunk_hec/logs", "error": "Permanent error: \"HTTP/2.0 401 Unauthorized\\r\\nContent-Length: 0\\r\\nDate: Thu, 29 Jun 2023 15:15:34 GMT\\r\\nServer: istio-envoy\\r\\nWww-Authenticate: Basic realm=\\\"Splunk\\\"\\r\\nX-Envoy-Upstream-Service-Time: 3\\r\\n\\r\\n\"", "dropped_items": 1}
go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send
This example command shows how to start the OpenTelemetry Collector from the /etc/otel/collector/ directory. This includes the environment variables used in the example agent_yaml config.
SPLUNK_HEC_URL=https://splunk:8088/services/collector SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-0000000000000 SPLUNK_API_TOKEN=c2lnbmFsZnh0b2tlbgo=== SPLUNK_ACCESS_TOKEN=c2lnbmFsZnh0b2tlbgo=== SPLUNK_API_URL=https://api.us0.signalfx.com SPLUNK_INGEST_URL=https://ingest.us0.signalfx.com/ SPLUNK_TRACE_URL=https://ingest.us0.signalfx.com/v2/trace SPLUNK_COLLECTD_DIR=/usr/local/opt/collectd SPLUNK_REALM=us0 ./otelcol --config=/etc/otel/collector/agent_config.yaml
Additional resources
- Apple Docs: Find text in log messages and reports in Console on Mac
- Apple Docs: Find log messages and activities in Console on Mac
- Blog: Best practices for MacOS logging & monitoring
- Splunk GitHub: otel-collector-config.yml
- Splunk GitHub: filelogreceiver
- Splunk GitHub: otel-collector-config.yml - An example yaml with a file log receiver and multiple Splunk source types
Example agent_config.yaml - Host metrics and logs
This example configuration is set up to send data to both Splunk Observability Cloud using the host metrics receiver and logs to Splunk Enterprise using the file log receiver.
# If the collector is installed without the Linux/Windows installer script, the following
# environment variables are required to be manually defined or configured below:
# - SPLUNK_ACCESS_TOKEN: The Splunk access token to authenticate requests
# - SPLUNK_API_URL: The Splunk API URL, e.g. https://api.us0.signalfx.com
# - SPLUNK_BUNDLE_DIR: The path to the Smart Agent bundle, e.g. /usr/lib/splunk-otel-collector/agent-bundle
# - SPLUNK_COLLECTD_DIR: The path to the collectd config directory for the Smart Agent, e.g. /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
# - SPLUNK_HEC_TOKEN: The Splunk HEC authentication token
# - SPLUNK_HEC_URL: The Splunk HEC endpoint URL, e.g. https://ingest.us0.signalfx.com/v1/log
# - SPLUNK_INGEST_URL: The Splunk ingest URL, e.g. https://ingest.us0.signalfx.com
# - SPLUNK_TRACE_URL: The Splunk trace endpoint URL, e.g. https://ingest.us0.signalfx.com/v2/trace
extensions:
health_check:
endpoint: 0.0.0.0:13133
http_forwarder:
ingress:
endpoint: 0.0.0.0:6060
egress:
endpoint: "${SPLUNK_API_URL}"
# Use instead when sending to gateway
#endpoint: "${SPLUNK_GATEWAY_URL}"
smartagent:
bundleDir: "${SPLUNK_BUNDLE_DIR}"
collectd:
configDir: "${SPLUNK_COLLECTD_DIR}"
zpages:
#endpoint: 0.0.0.0:55679
memory_ballast:
# In general, the ballast should be set to 1/3 of the collector's memory, the limit
# should be 90% of the collector's memory.
# The simplest way to specify the ballast size is set the value of SPLUNK_BALLAST_SIZE_MIB env variable.
size_mib: ${SPLUNK_BALLAST_SIZE_MIB}
receivers:
filelog:
include: [ /var/log/system.log ]
start_at: beginning
fluentforward:
endpoint: 127.0.0.1:8006
hostmetrics:
collection_interval: 10s
scrapers:
cpu:
disk:
filesystem:
memory:
network:
# System load average metrics https://en.wikipedia.org/wiki/Load_(computing)
load:
# Paging/Swap space utilization and I/O metrics
paging:
# Aggregated system process count metrics
processes:
# System processes metrics, disabled by default
# process:
jaeger:
protocols:
grpc:
endpoint: 0.0.0.0:14250
thrift_binary:
endpoint: 0.0.0.0:6832
thrift_compact:
endpoint: 0.0.0.0:6831
thrift_http:
endpoint: 0.0.0.0:14268
otlp:
protocols:
grpc:
endpoint: 0.0.0.0:4317
http:
endpoint: 0.0.0.0:4318
# This section is used to collect the OpenTelemetry Collector metrics
# Even if just a Splunk APM customer, these metrics are included
prometheus/internal:
config:
scrape_configs:
- job_name: 'otel-collector'
scrape_interval: 10s
static_configs:
- targets: ['0.0.0.0:8888']
metric_relabel_configs:
- source_labels: [ __name__ ]
regex: '.*grpc_io.*'
action: drop
smartagent/signalfx-forwarder:
type: signalfx-forwarder
listenAddress: 0.0.0.0:9080
smartagent/processlist:
type: processlist
signalfx:
endpoint: 0.0.0.0:9943
# Whether to preserve incoming access token and use instead of exporter token
#default = false
access_token_passthrough: true
zipkin:
endpoint: 0.0.0.0:9411
processors:
batch:
# Enabling the memory_limiter is strongly recommended for every pipeline.
# Configuration is based on the amount of memory allocated to the collector.
# For more information about memory limiter, see
# https://github.com/open-telemetry/opentelemetry-collector/blob/main/processor/memorylimiter/README.md
memory_limiter:
check_interval: 2s
limit_mib: ${SPLUNK_MEMORY_LIMIT_MIB}
# Detect if the collector is running on a cloud system, which is important for creating unique cloud provider dimensions.
# Detector order is important: the `system` detector goes last so it can't preclude cloud detectors from setting host/os info.
# Resource detection processor is configured to override all host and cloud attributes because instrumentation
# libraries can send wrong values from container environments.
# https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/resourcedetectionprocessor#ordering
resourcedetection:
detectors: [system]
override: true
# Optional: The following processor can be used to add a default "deployment.environment" attribute to the logs and
# traces when it's not populated by instrumentation libraries.
# If enabled, make sure to enable this processor in the pipeline below.
resource/add_environment:
attributes:
- action: insert
value: HW.Laptop
key: deployment.environment
exporters:
# Traces
sapm:
access_token: "${SPLUNK_ACCESS_TOKEN}"
endpoint: "${SPLUNK_TRACE_URL}"
# Metrics + Events
signalfx:
access_token: "${SPLUNK_ACCESS_TOKEN}"
api_url: "${SPLUNK_API_URL}"
ingest_url: "${SPLUNK_INGEST_URL}"
# Use instead when sending to gateway
#api_url: http://${SPLUNK_GATEWAY_URL}:6060
#ingest_url: http://${SPLUNK_GATEWAY_URL}:9943
sync_host_metadata: true
correlation:
# Logs
splunk_hec/logs:
token: "${SPLUNK_HEC_TOKEN}"
endpoint: "${SPLUNK_HEC_URL}"
index: "logs"
max_connections: 20
# tls:
# insecure_skip_verify, default: false
# If using a self-signed certificate on the Splunk instance this flag is set to true.
# insecure_skip_verify: true
# Send to gateway
# otlp:
# endpoint: "${SPLUNK_GATEWAY_URL}:4317"
# tls:
# insecure: true
# Debug
logging:
loglevel: debug
service:
extensions: [health_check, http_forwarder, zpages, memory_ballast, smartagent]
pipelines:
traces:
receivers: [jaeger, otlp, smartagent/signalfx-forwarder, zipkin]
processors:
- memory_limiter
- batch
- resourcedetection
- resource/add_environment
exporters: [sapm, signalfx]
# Use instead when sending to gateway
#exporters: [otlp, signalfx]
metrics:
receivers: [hostmetrics, otlp, signalfx, smartagent/signalfx-forwarder]
processors: [memory_limiter, batch, resourcedetection]
exporters: [signalfx]
# Use instead when sending to gateway
#exporters: [otlp]
metrics/internal:
receivers: [prometheus/internal]
processors: [memory_limiter, batch, resourcedetection]
# When sending to gateway, at least one metrics pipeline needs
# to use signalfx exporter so host metadata gets emitted
exporters: [signalfx]
# Use instead when sending to gateway
#exporters: [otlp]
logs:
receivers: [fluentforward, otlp, filelog]
processors:
- memory_limiter
- batch
- resourcedetection
- resource/add_environment
exporters: [splunk_hec/logs]
# # Use instead when sending to gateway
# #exporters: [otlp]