MacOS, Beats and Graylog. Learning for better logging.


Until recently I’ve had to dump the entire syslog to the syslog server, now trying to  begin using Filebeat collector for macOS  and Graylog Elastic Beats Input Plugin which one can send a specific log or set of logs to a syslog server.

How I was doing it:

Edit the syslog conf at /etc/syslog.conf

*.*                                       @serverip:port

Redirect Logs To A Syslog Server In OS X |

The caveat of this method is it dumps the entire of the syslog to the syslog server. I dislike the chattiness of  syslog and would prefer to send only a particular log or set of logs that I am interested in, hence this post.

The server I was particularly interested in was averaging about 250 or so various entries and hour. A bit too much for my liking.

Sometimes it felt like the logs could easily get out of hand…


Just found this log on my server. Should I be worried?


The pieces 

I was lucky enough to inherit a preconfigured infrastructure of Graylog, but assuming nothing I set up my own and tested this from scratch… if have log server already setup that you can skip the configuration of server…

I am sure this well documented somewhere else too, this process was mostly for me to better understand 1.) Logging service in general, 2.) MacOS logging practices and 3.) Assessing the plausibility of using Beats or similar for a backend to forward logs in a package able, deployable fashion.

Before you start:

Mac OS VM for testing, I use VMware either local or a remote server (ESXi) for my MacOS testing.

Graylog preconfigured OVA (Download)

Graylog Elastic Beats Input Plugin (Included in v2 of Graylog, may not need this)

Filebeat collector for macOS

Generally the flow of information will look something like this:


  1. Log is written by .app or service
  2. File collector then forwards files to Beats input on Graylog server
  3. Beats input plug allows for any beats File collector source to be treated as any TCP/UDP log dump.



Graylog Server

This is very well documented in Graylog’s docs-

  1. Setting up from an OVA
    1. Download and run OVA in whatever virtual appliance host you’d like
    2. Make changes to defaults as needed.
  2. Install Beats plugin (If needed)
    1. Get Beats plugin for graylog
    2. mv to /opt/graylog/plugin/
    3. restart graylog
      • graylog-ctl restart
  3. Setup input
    1. See Graylog documentation here

Client (macOS)

  1. Downloaded filebeat-5.0.2-darwin-x86_64.tar (or current)
    1. Unzip
    2. Modify lines in yaml file:


- input_type: log #uncomment


- /var/log/install.log #uncomment I changed to install.log for specific log testing, but you could set it to whatever you'd like. 

output.elasticsearch: #uncomment

hosts: ["URL:PORT"] #change to server ip and port make sure it aligns to you input configuration

Once changes are made you can start the forwarder, by:

  • sudo ./filebeat -e -c filebeat.yml

More considerations & To Dos

  • Automated start/stop of forwarder
    • I’d like to figure out (or find someone who has) how to auto-start the filebeat service
    • As well as bundling in a deployable pkg yo distribute to a large number of clients
  • Further granularity/ filtering at the Graylog Level


Filebeat Reference

Grayling Documentation “Sending in log data”

Graylog Elastic Beats Input Plugin

Elastic Filebeat Collector  (Mac | Win | Linux)

6 thoughts on “MacOS, Beats and Graylog. Learning for better logging.

  1. Pingback: Packaging Filebeat on macOS | Lucas J. Hall

  2. Hi Lucas, thank yuo for your post, I am wondering what port do you set it up on filebeat.yum because I tried graylog(ip):5044 and I have nothing comming up..can you please let me know? I have another imput with all logs from my macbook pro comming.
    Thanks in advance

  3. Thanks Lucas Again, what i am trying to do is to get the logs from an Expecific app on Mac the path from logs are located in /var/log/Defendpoint/audit.log, I have my Graylog install and works good even I have already all system logs from this Laptop comming but they are a lot, i just need from this app (Avecto) this is a copy from my filebeat.yum: (I will appreciate it if you take a look)

    ###################### Filebeat Configuration #########################


    – input_type: log
    – /var/log/Defendpoint/audit.log

    # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
    multiline.pattern: ^\[

    # Defines if the pattern set under pattern should be negated or not. Default is false.
    multiline.negate: true

    # Match can be set to “after” or “before”. It is used to define if lines should be append to a pattern
    # that was (not) matched before or after or as long as a pattern is not matched based on negate.
    multiline.match: after

    #============================= Filebeat modules ===============================

    path: ${path.config}/modules.d/*.yml

    reload.enabled: false

    #==================== Elasticsearch template setting ==========================

    index.number_of_shards: 3

    #================================ Outputs =====================================

    #————————– Elasticsearch output ——————————

    # Array of hosts to connect to.
    hosts: [“{IP}:9200”]

    #—————————– Logstash output ——————————–
    # The Logstash hosts
    hosts: [“{IP}}:5044”]

  4. Alex, first- I cleaned up your comment a bit, there was some sensitive (maybe?) info included, I omitted any #commented lines as well for readability.

    An initial config example would be along the lines of this: filebeat-example.yml (

    I’d start simple, and then add more tuning from there. I suggest using the logging.* options for visibility during troubleshooting.

    You can see more in the following post as well.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s