You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The goal is to implement a Logcollector Reader that interfaces with macOS's Unified Logging System (ULS) using the OSLog framework. This Reader will allow querying and filtering logs based on specific predicates, log levels, and types.
Given that OSLog is designed for Objective-C, while the Wazuh Agent is implemented in C++, a wrapper will need to be developed or integrated to bridge the two languages.
Requirements
Configuration Options
The macOS Reader will support the following options:
macos: Defines a macOS-specific reader with the following sub-options:
query: Predicate to filter logs.
level: Log verbosity level: default, info, or debug.
type: Limits the log type; possible values (combinable): activity, log, trace.
file_wait: Defines the log polling interval (e.g., 500ms).
reload_interval: Interval for detecting log rotation (if applicable).
Example Configuration
logcollector:
enabled: truemacos:
- query: process == "sshd" OR message CONTAINS "invalid"level: infotype: trace,activity,log
- query: process == "wazuh-agent"level: defaulttype: logreload_interval: 1mfile_wait: 500ms
Tasks
Spike
Review Configuration Options
Validate the proposed options and identify potential additional configurations if needed.
Investigate OSLog Framework Integration
Analyze the OSLog API and available Objective-C/C++ bridging options.
Determine the best approach to create or use a wrapper for integrating OSLog with C++.
I’ve started working on the macOS Reader for Logcollector. Reviewed the configuration options and began investigating OSLog API integration and Objective-C/C++ bridging. Next steps will include coming up with an approach for the wrapper, draft a Reader design, and validate ULS log rotation handling.
Description
The goal is to implement a Logcollector Reader that interfaces with macOS's Unified Logging System (ULS) using the OSLog framework. This Reader will allow querying and filtering logs based on specific predicates, log levels, and types.
Given that OSLog is designed for Objective-C, while the Wazuh Agent is implemented in C++, a wrapper will need to be developed or integrated to bridge the two languages.
Requirements
Configuration Options
The macOS Reader will support the following options:
macos
: Defines a macOS-specific reader with the following sub-options:query
: Predicate to filter logs.level
: Log verbosity level:default
,info
, ordebug
.type
: Limits the log type; possible values (combinable):activity
,log
,trace
.file_wait
: Defines the log polling interval (e.g.,500ms
).reload_interval
: Interval for detecting log rotation (if applicable).Example Configuration
Tasks
Spike
Development
Setup
FunctionDeliverables
The text was updated successfully, but these errors were encountered: