Skip to main content
 
 
Splunk Lantern

Collecting Mac OS log files

 

You want to get log data from a Darwin (Mac OS X) device into an observability platform.

Solution

In order to monitor logs on the Darwin (Mac OS X) system, you can use a local copy of Splunk Enterprise or an OpenTelemetry Collector to forward logs and metrics to Splunk Observability Cloud and the Splunk platform. What logs you need to monitor depends on the applications, asset management, vpn, and security services. The following are some examples:

  • System Application Logs:
    • /Library/Logs
  • Analytics:
    • /var/log/DiagnosticMessages
  • Reports:
    • /Library/Logs/DiagnosticReports
  • Jamf:
    • /var/log/jamf.log
  • CrashPlan:
    • /Library/Logs/CrashPlan/service.log.0
  • System Logs:
    • /var/log/system.log
    • /var/log/*

Splunk Enterprise

If you are running a local instance of the Splunk platform on your system, these files can be monitored by adding a file and directory input.

Splunk Observability Cloud

You can also collect log and host metrics with the OpenTelemetry Collector using the filelog receiver exporting logs to a Splunk HEC endpoint. The following is an example of a file log receiver yaml configuration:

receivers:
  filelog:
    include: [ /var/log/system.log ]
    start_at: beginning

exporters:
 # Logs
  splunk_hec/logs:
    token: "${SPLUNK_HEC_TOKEN}"
    endpoint: "${SPLUNK_HEC_URL}"
    index: "logs"
    max_connections: 20

processors:
  batch:
  memory_limiter:
    check_interval: 2s
    limit_mib: ${SPLUNK_MEMORY_LIMIT_MIB}
# Add optional environment metadata to logs and traces.
  resource/add_environment:
    attributes:
      - action: insert
        value: HW.Laptop
        key: deployment.environment

service:
  logs:
    receivers: [fluentforward, otlp, filelog]
    processors:
    - memory_limiter
    - batch
    - resource/add_environment
    exporters: [splunk_hec/logs]

Validation

After you have your logs configured to export to your Splunk instance, navigate to search, and check the index the logs were sent to.

Troubleshooting

If you receive a 401: Unauthorized error, make sure you have the environment variables set for SPLUNK_HEC_TOKEN and the SPLUNK_HEC_URL endpoint. In the example error below, the SPLUNK_HEC_URL was not set and the export of the logs failed. You need to stop the Collector and restart it with the environment variables set.

        2023-06-29T08:15:34.473-0700 error exporterhelper/queued_retry.go:401 Exporting failed. The error is not retryable. Dropping data. 
{"kind": "exporter", "data_type": "logs", "name": "splunk_hec/logs", "error": "Permanent error: \"HTTP/2.0 401 Unauthorized\\r\\nContent-Length: 0\\r\\nDate: Thu, 29 Jun 2023 15:15:34 GMT\\r\\nServer: istio-envoy\\r\\nWww-Authenticate: Basic realm=\\\"Splunk\\\"\\r\\nX-Envoy-Upstream-Service-Time: 3\\r\\n\\r\\n\"", "dropped_items": 1}
go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send

This example command shows how to start the OpenTelemetry Collector from the /etc/otel/collector/ directory. This includes the environment variables used in the example agent_yaml config.

SPLUNK_HEC_URL=https://splunk:8088/services/collector
SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-0000000000000
SPLUNK_API_TOKEN=c2lnbmFsZnh0b2tlbgo===
SPLUNK_ACCESS_TOKEN=c2lnbmFsZnh0b2tlbgo===
SPLUNK_API_URL=https://api.us0.signalfx.com
SPLUNK_INGEST_URL=https://ingest.us0.signalfx.com/
SPLUNK_TRACE_URL=https://ingest.us0.signalfx.com/v2/trace
SPLUNK_COLLECTD_DIR=/usr/local/opt/collectd
SPLUNK_REALM=us0 ./otelcol --config=/etc/otel/collector/agent_config.yaml

Resources

Example agent_config.yaml - Host metrics and logs

This example configuration is set up to send data to both Splunk Observability Cloud using the host metrics receiver and logs to Splunk Enterprise using the file log receiver.

# If the collector is installed without the Linux/Windows installer script, the following
# environment variables are required to be manually defined or configured below:
# - SPLUNK_ACCESS_TOKEN: The Splunk access token to authenticate requests
# - SPLUNK_API_URL: The Splunk API URL, e.g. https://api.us0.signalfx.com
# - SPLUNK_BUNDLE_DIR: The path to the Smart Agent bundle, e.g. /usr/lib/splunk-otel-collector/agent-bundle
# - SPLUNK_COLLECTD_DIR: The path to the collectd config directory for the Smart Agent, e.g. /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
# - SPLUNK_HEC_TOKEN: The Splunk HEC authentication token
# - SPLUNK_HEC_URL: The Splunk HEC endpoint URL, e.g. https://ingest.us0.signalfx.com/v1/log
# - SPLUNK_INGEST_URL: The Splunk ingest URL, e.g. https://ingest.us0.signalfx.com
# - SPLUNK_TRACE_URL: The Splunk trace endpoint URL, e.g. https://ingest.us0.signalfx.com/v2/trace

extensions:
  health_check:
    endpoint: 0.0.0.0:13133
  http_forwarder:
    ingress:
      endpoint: 0.0.0.0:6060
    egress:
      endpoint: "${SPLUNK_API_URL}"
      # Use instead when sending to gateway
      #endpoint: "${SPLUNK_GATEWAY_URL}"
  smartagent:
    bundleDir: "${SPLUNK_BUNDLE_DIR}"
    collectd:
      configDir: "${SPLUNK_COLLECTD_DIR}"
  zpages:
    #endpoint: 0.0.0.0:55679
  memory_ballast:
    # In general, the ballast should be set to 1/3 of the collector's memory, the limit
    # should be 90% of the collector's memory.
    # The simplest way to specify the ballast size is set the value of SPLUNK_BALLAST_SIZE_MIB env variable.
    size_mib: ${SPLUNK_BALLAST_SIZE_MIB}

receivers:
  filelog:
    include: [ /var/log/system.log ]
    start_at: beginning
  fluentforward:
    endpoint: 127.0.0.1:8006
  hostmetrics:
    collection_interval: 10s
    scrapers:
      cpu:
      disk:
      filesystem:
      memory:
      network:
      # System load average metrics https://en.wikipedia.org/wiki/Load_(computing)
      load:
      # Paging/Swap space utilization and I/O metrics
      paging:
      # Aggregated system process count metrics
      processes:
      # System processes metrics, disabled by default
      # process:
  jaeger:
    protocols:
      grpc:
        endpoint: 0.0.0.0:14250
      thrift_binary:
        endpoint: 0.0.0.0:6832
      thrift_compact:
        endpoint: 0.0.0.0:6831
      thrift_http:
        endpoint: 0.0.0.0:14268
  otlp:
    protocols:
      grpc:
        endpoint: 0.0.0.0:4317
      http:
        endpoint: 0.0.0.0:4318
  # This section is used to collect the OpenTelemetry Collector metrics
  # Even if just a Splunk APM customer, these metrics are included
  prometheus/internal:
    config:
      scrape_configs:
      - job_name: 'otel-collector'
        scrape_interval: 10s
        static_configs:
        - targets: ['0.0.0.0:8888']
        metric_relabel_configs:
          - source_labels: [ __name__ ]
            regex: '.*grpc_io.*'
            action: drop
  smartagent/signalfx-forwarder:
    type: signalfx-forwarder
    listenAddress: 0.0.0.0:9080
  smartagent/processlist:
    type: processlist
  signalfx:
    endpoint: 0.0.0.0:9943
    # Whether to preserve incoming access token and use instead of exporter token
    #default = false
    access_token_passthrough: true
  zipkin:
    endpoint: 0.0.0.0:9411

processors:
  batch:
  # Enabling the memory_limiter is strongly recommended for every pipeline.
  # Configuration is based on the amount of memory allocated to the collector.
  # For more information about memory limiter, see
  # https://github.com/open-telemetry/opentelemetry-collector/blob/main/processor/memorylimiter/README.md
  memory_limiter:
    check_interval: 2s
    limit_mib: ${SPLUNK_MEMORY_LIMIT_MIB}

 # Detect if the collector is running on a cloud system, which is important for creating unique cloud provider dimensions.
  # Detector order is important: the `system` detector goes last so it can't preclude cloud detectors from setting host/os info.
  # Resource detection processor is configured to override all host and cloud attributes because instrumentation
  # libraries can send wrong values from container environments.
  # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/processor/resourcedetectionprocessor#ordering
  resourcedetection:
    detectors: [system]
    override: true

  # Optional: The following processor can be used to add a default "deployment.environment" attribute to the logs and 
  # traces when it's not populated by instrumentation libraries.
  # If enabled, make sure to enable this processor in the pipeline below.
  resource/add_environment:
    attributes:
      - action: insert
        value: HW.Laptop
        key: deployment.environment

exporters:
  # Traces
  sapm:
    access_token: "${SPLUNK_ACCESS_TOKEN}"
    endpoint: "${SPLUNK_TRACE_URL}"
  # Metrics + Events
  signalfx:
    access_token: "${SPLUNK_ACCESS_TOKEN}"
    api_url: "${SPLUNK_API_URL}"
    ingest_url: "${SPLUNK_INGEST_URL}"
    # Use instead when sending to gateway
    #api_url: http://${SPLUNK_GATEWAY_URL}:6060
    #ingest_url: http://${SPLUNK_GATEWAY_URL}:9943
    sync_host_metadata: true
    correlation:
  # Logs
  splunk_hec/logs:
    token: "${SPLUNK_HEC_TOKEN}"
    endpoint: "${SPLUNK_HEC_URL}"
    index: "logs"
    max_connections: 20
    # tls:
        # insecure_skip_verify, default: false
        # If using a self-signed certificate on the Splunk instance this flag is set to true. 
      # insecure_skip_verify: true
  # Send to gateway
#  otlp:
#    endpoint: "${SPLUNK_GATEWAY_URL}:4317"
#    tls:
#      insecure: true
  # Debug
  logging:
    loglevel: debug

service:
  extensions: [health_check, http_forwarder, zpages, memory_ballast, smartagent]
  pipelines:
    traces:
      receivers: [jaeger, otlp, smartagent/signalfx-forwarder, zipkin]
      processors:
      - memory_limiter
      - batch
      - resourcedetection
      - resource/add_environment
      exporters: [sapm, signalfx]
      # Use instead when sending to gateway
      #exporters: [otlp, signalfx]
    metrics:
      receivers: [hostmetrics, otlp, signalfx, smartagent/signalfx-forwarder]
      processors: [memory_limiter, batch, resourcedetection]
      exporters: [signalfx]
      # Use instead when sending to gateway
      #exporters: [otlp]
    metrics/internal:
      receivers: [prometheus/internal]
      processors: [memory_limiter, batch, resourcedetection]
      # When sending to gateway, at least one metrics pipeline needs
      # to use signalfx exporter so host metadata gets emitted
      exporters: [signalfx]
      # Use instead when sending to gateway
      #exporters: [otlp]
    logs:
      receivers: [fluentforward, otlp, filelog]
      processors:
      - memory_limiter
      - batch
      - resourcedetection
      - resource/add_environment
      exporters: [splunk_hec/logs]
#      # Use instead when sending to gateway
#      #exporters: [otlp]