Adding Unified Log Filters to Jamf Protect

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US
Requirements
To collect unified log filter data with Jamf Protect, you must do one of the following:

  • Collect unified logs in a local log file

  • Send unified logs to a Kafka broker

  • Send unified logs to a syslog server

  • Integrate Jamf Protect with a security information and events management (SIEM) solution.

    For more information, see macOS Security Data Integrations by Vendor.

  • Use a Jamf Protect Cloud data endpoint to collect unified logging, then enable data forwarding to a third party storage solution

    For more information, see Data Forwarding to a Third Party Storage Solution.

  1. In Jamf Protect, click Unified Logging in the sidebar.
  2. Click Add New Filter.
  3. Give your filter a name.
  4. (Optional) Add tags to your filter.
  5. Enter your previously created predicate-based filter.
    Note:

    Only enter the predicate filter between the quotations.The log command and --predicate flag you used to test your filter should not be included.

  6. Click Save.

All computers will now send logs that match your filter to your security information and event management (SIEM) solution, a third party storage solution, or a local log file depending on your action configuration.