Jamf Protect's telemetry for macOS collects system and user event log data and sends it to a security information and event management (SIEM) solution. Telemetry log data helps administrators and information security specialists proactively monitor and detect threats on macOS computers in their environments. Telemetry log data also assists with investigating user activities or malicious events by providing context for the various events that occur on each device. Telemetry data is sent to your configured data collection options in JSON format.
Create an action configuration to collect telemetry log data. You can select from the following types of data endpoints:
Jamf Protect Cloud lets you send telemetry data to a third-party storage solution.
HTTP endpoints allow you to send data directly to a SIEM solution.
- Log file configuration allows you to collect local log data.Note:
You can only configure one local log file configuration for each action configuration.
Kafka endpoint configuration allows you to send data to a Kafka broker.
Syslog endpoint configuration allows you to send data to a syslog server.
Exception sets allow you to add the Ignore for Telemetry rule to exclude certain processes or events from telemetry data. This ensures that the system monitoring and telemetry collection are suitable for your unique environment. For more information about using exception sets with telemetry, see Telemetry Exception Rules.
If a deprecated version of telemetry is enabled on a plan, Jamf Protect will create a back-up of the /etc/security/audit_control file and edit the file to configure the correct policies. If telemetry is disabled, the audit_control back-up file will be restored.