Mac Unified Logging

Updated on 16 Jul 2025
2 Minutes to read

Print
Share
Dark
Light

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Overview

This Adapter allows you to collect events from MacOS Unified Logging.

Deployment Configurations

All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

Optional Arguments:

predicate: example, predicate='subsystem=="com.apple.TimeMachine"'

CLI Deployment

Adapter downloads can be found here.

chmod +x /path/to/lc_adapter

/path/to/lc_adapter mac_unified_logging client_options.identity.installation_key=$INSTALLATION_KEY \
client_options.identity.oid=$OID \
client_options.platform=json \
client_options.sensor_seed_key=$SENSOR_NAME \
client_options.hostname=$SENSOR_NAME

Infrastructure as Code Deployment

# macOS Unified Logging Specific Docs: https://docs.limacharlie.io/docs/adapter-types-macos-unified-logging

sensor_type: "mac_unified_logging"
  mac_unified_logging:
    client_options:
      identity:
        oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        installation_key: "YOUR_LC_INSTALLATION_KEY_MACOSUL"
      hostname: "user-macbook-pro"
      platform: "mac_unified_logging"
      sensor_seed_key: "macos-unified-logging-sensor"
    # Optional configuration
    write_timeout_sec: 600                           # Default: 600 seconds
    predicate: 'processImagePath endswith "/usr/sbin/sshd" OR subsystem == "com.apple.security"'

Service Creation

If you want this adapter to run as a service, you can run the following script to add a plist file to the endpoint with your variables replaced. Please note that this example also has an example predicate, so if you do not wish to use a predicate, remove that line.

sudo -i

curl https://downloads.limacharlie.io/adapter/mac/64 -o /usr/local/bin/lc_adapter
chmod +x /usr/local/bin/lc_adapter

tee -a /Library/LaunchDaemons/io.limacharlie.adapter.macunifiedlogging.plist <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>io.limacharlie.adapter.macunifiedlogging</string>
    <key>UserName</key>
	<string>root</string>
    <key>RunAtLoad</key>
    <true/>
    <key>WorkingDirectory</key>
    <string>/usr/local/bin</string>
    <key>KeepAlive</key>
    <true/>
    <key>EnvironmentVariables</key>
    <dict>
      <key>PATH</key>
      <string>/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin</string>
    </dict>
    <key>Program</key>
    <string>/usr/local/bin/lc_adapter</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/lc_adapter</string>
        <string>mac_unified_logging</string>
        <string>client_options.identity.installation_key=$INSTALLATION_KEY</string>
        <string>client_options.identity.oid=$OID</string>
        <string>client_options.hostname=$SENSOR_NAME</string>
        <string>client_options.platform=json</string>
        <string>client_options.sensor_seed_key=$SENSOR_NAME</string>
        <string>predicate=eventMessage CONTAINS[c] "corp.sap.privileges"</string>
    </array>
  </dict>
</plist>
EOF

launchctl load -w /Library/LaunchDaemons/io.limacharlie.adapter.macunifiedlogging.plist

Was this article helpful?

What's Next

Microsoft Defender

Table of contents

Overview
Deployment Configurations
{{glossary.CLI}} Deployment
Service Creation