Macoslogbeat is a log shipper for macos unified logs like journalbeat is for journald.
It's only tested to work on macos Catalina (10.15), but I bet it would work on any macos release that uses unified log.
- Pick the latest release
- Install it either by doubleclicking the pkg or with installer (
sudo installer -pkg macoslogbeat-<version>.pkg -target /) - Configure
/opt/macoslogbeat/macoslogbeat.yml.- Mainly elasticsearch/logstash/etc. location is required to get started
Optional steps:
- Install profile to see log fields also (located in
/opt/macososlogbeat/macos/Logging.mobileconfig) - Install launchd configuration to run it automatically when os boots and restart on crash:
sudo launchctl load /opt/macoslogbeat/install/com.reaktor.macoslogbeat.plist - Run the service:
sudo launchctl start com.reaktor.macoslogbeat
For further development, check out the beat developer guide.
Make sure you have ${GOPATH}/bin in PATH.
To build the binary for MacosLogbeat run the command below. This will generate a binary in the same directory with the name macoslogbeat.
make
To run MacosLogbeat with debugging output enabled, run:
./macoslogbeat -c macoslogbeat.yml -e -d "*"
Run docker-compose up to start elasticsearch and kibana locally to start testing macoslogbeat.
After the apps have started elasticsearch is available in http://localhost:9200 and kibana in http://localhost:5601.
To test MacosLogbeat, run the following command: (As of writing this there are no tests, but maybe this changes over time)
make testsuite
alternatively:
make unit-tests
make system-tests
make integration-tests
make coverage-report
The test coverage is reported in the folder ./build/coverage/
Each beat has a template for the mapping in elasticsearch and a documentation for the fields
which is automatically generated based on fields.yml by running the following command.
make update
To clean MacosLogbeat source code, run the following command:
make fmt
To clean up the build directory and generated artifacts, run:
make clean
To clone MacosLogbeat from the git repository, run the following commands:
mkdir -p ${GOPATH}/src/github.com/jaakkoo/macoslogbeat
git clone https://github.com/jaakkoo/macoslogbeat ${GOPATH}/src/github.com/jaakkoo/macoslogbeat
For further development, check out the beat developer guide.
The beat frameworks provides tools to crosscompile and package your beat for different platforms. This requires docker and vendoring as described above. To build packages of your beat, run the following command:
make pkg
This will fetch and create all images required for the build process. The whole process to finish can take several minutes.
It will also generate Macos installer (.pkg) and it is made available in the same directory (build/) than everything else.
Once macoslogbeat-.pkg package is installed the files will be available in /opt/macoslogbeat
The easiest way to verify the application works is to run it manually from commandline:
sudo /opt/macoslogbeat/macoslogbeat -c /opt/macoslogbeat/macoslogbeat.yml -e.
Note! Running with sudo is optional, but unless you ran it with enough priviledges most of the log messages are hidden
Get the help: sudo /opt/macoslogbeat/macoslogbeat -h
All configuration is located in /opt/macoslogbeat/macoslogbeat.yml
The launchd configuration is available in /opt/macoslogbeat/install/com.reaktor.macoslogbeat.plist.
Install it: sudo launchctl load /opt/macoslogbeat/install/com.reaktor.macoslogbeat.plist
Start it: sudo launchctl start com.reaktor.macoslogbeat.
Launcd will configure macoslogbeat to start automatically when OS boots. If you wish to change the behaviour edit the plist.
First unload the launchd config
sudo launchctl unload /opt/macoslogbeat/install/com.reaktor.macoslogbeat.plist
Remove the package from database
sudo pkgutil --forget com.reaktor.macoslogbeat
Delete all files
rm -rf /opt/macoslogbeat