You can create multiple action configurations in Jamf Protect for use with different plans.
Requirements
You will need access to the data endpoint environment where you intend to send data.
For more information about common integrations, see Data Integrations for macOS Security.
Configuring a Kafka or syslog data endpoint requires computers to be on version 6.1.1 or later of the Jamf Protect agent.
- In Jamf Protect, click Actions.
- Click Create Action at the top of the window.
- Enter a name and description for your action configuration.
- Configure data collection for the Jamf Protect Cloud.
If you do not want to collect data with Jamf Protect Cloud and do not plan to use data forwarding, you can delete Jamf Protect Cloud.
- Add a data endpoint:
- In Data Endpoints, click + Add.
- Select a data endpoint type:
- Jamf Protect Cloud —Collects and stores data in the Jamf Protect Cloud. Alert data is visible directly in the macOS Security portal. To view telemetry and unified log data stored in the Jamf Protect Cloud, you must setup data forwarding.
- HTTP —Sends data from macOS computers to an available HTTP endpoint URL from a SIEM solution.
- Log file —Writes all data to a log file at a specified location on computers. Only one log file endpoint is allowed per action configuration.
- Syslog —Sends data to a Syslog server, a standardized protocol for receiving messages that relies on an aggregate of various systems' messages consolidated into a centralized server for distribution. Messages typically are used for system management, monitoring, and security auditing. Syslog messages can contain a variety of log message syntax, but they usually are formatted using basic structure such as header, message severity levels, message text, and timestamp. Syslog transport protocols can use encryption.
- Kafka —Sends data to a Kafka server, a distributed streaming platform that uses a subscriber model to listen to specific data topics from a centralized cluster. Kafka messages consist of standardized logs and can also be encoded using formats such as JSON and Avro. Messages are designed for real-time processing. Kafka provides additional durability with configurable data retention and redundancies within the cluster for persisted data. Kafka can use data encryption with x.509 certificates.
- Configure the selected data endpoint's required values.
- From Alerts, select the level of alerts want to collect.
- From Logs, select the data types you want to collect.
- (Optional) If you configured any data endpoint to collect alerts, configure the Alert Data Collection Options.
You can control the verbosity of all data collected for different alert event types.
- Click Save.
You can now add your action configuration to a plan for deployment. If you edit an action configuration, changes will be automatically applied to computers assigned to the action as part of their plan.