Action Configuration Details
- Name —A name for your action configuration. Jamf recommends using a standard naming conventions throughout your environment.
- Description —A summary of the purpose of the action configuration in your organization.
HTTP Data Endpoint Settings
| Setting | Type | Description |
|---|---|---|
| URL | String | Endpoint URL for your data endpoint, such as a SIEM solution |
| Headers | Array | Array of HTTP header name and values. Expected values vary based on vendor. |
For additional settings, see macOS Security Data Batching for HTTP Endpoints.
Log Files Endpoint Settings
| Setting | Type | Description |
|---|---|---|
| Path | String | The local macOS directory to store the log file. /var/log/JamfProtect.log is used by default. |
| Ownership | String | File ownership in user:group format. root:wheel is used by default. |
| Permissions | String | Numerical POSIX permissions. 0640 is used by default. |
| Max file size (MB) | Integer | Maximum file size in bytes before rotation. 100 is used by default. |
| Max number of backups | Integer | Number of historical log files to retain. 10 is used by default. |
Syslog Endpoint Settings
| Setting | Type | Description |
|---|---|---|
| Host | String | Syslog server hostname or IP address, such as syslog.YOUR_DOMAIN.com or 192.0.2.1 |
| Port | Integer | Server port number for the selected protocol. 6514 is used by default. |
| Protocol | String (enum) | Transport protocol for log transmission:
|
Kafka Endpoint Settings
| Setting | Type | Description |
|---|---|---|
| Host | String | Kafka broker hostname or IP address, such as kafka.YOUR_DOMAIN.com or 192.0.2.1 |
| Port | Integer | Broker port number. 9093 is used by default. |
| Topic | String | Kafka topic name for the data stream |
| Server certificate common name (CN) | String | Server certificate common name. Note:You can override server certificate verification by entering no_verify in the server certificate common name field. |
| Client certificate common name (CN) | String | Certificates must be installed in the system Keychain on host computers. Use your MDM solution to distribute the certificate bundle as a computer configuration profile and make sure the following payload settings are included:
|
Data Collection Settings
Each data endpoint allows you to choose which data types you want to collect.
- Alerts
Includes events from analytics, threat prevention, and removable storage control capabilities.
For more information, see Alerts for macOS Security.
- Telemetry
Includes events from a telemetry configuration.
For more information, see Telemetry for macOS.
- Unified logs
Includes events from a unified log filter.
For more information, see Unified Logging for macOS.
Alert Data Collection Options
You can control the verbosity of all data collected for different alert event types.
- Everything —Collects all available data attributes (default)
- Minimal —Excludes data attributes as curated by Jamf Threat Labs
- Custom —Allows you to include and exclude data types to suit your organization
If your organization sends a large volume of events to another system for analysis, some data attributes may incur an additional cost to collect. For example, if you have created and deployed an analytic that remotely logs all file creation events, collecting signing information for all files will cause a high operation cost for your data endpoint.