diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9eb64edb79..3d6fa7e348 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to the Wazuh app project will be documented in this file.
- Improve fleet management by adding 'Edit Agent Groups' and 'Upgrade Agents' actions, as well as a filter to show only outdated agents [#6250](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6250) [#6476](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6476) [#6274](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6274) [#6501](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6501) [#6529](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6529)
- Added propagation of updates from the table to dashboard visualizations in Endpoints summary [#6460](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6460)
- Handle index pattern selector on new discover [#6499](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6499)
+- Added macOS log collector tab [#6545](https://github.com/wazuh/wazuh-dashboard-plugins/pull/6545)
### Changed
diff --git a/docker/imposter/agents/configuration/logcollector-localfile.json b/docker/imposter/agents/configuration/logcollector-localfile.json
index 722426ff24..c61d46743d 100644
--- a/docker/imposter/agents/configuration/logcollector-localfile.json
+++ b/docker/imposter/agents/configuration/logcollector-localfile.json
@@ -1,12 +1,31 @@
{
"data": {
"localfile": [
+ {
+ "logformat": "macos",
+ "query": {
+ "value": "(process == \"sudo\") or (process == \"sessionlogoutd\" and message contains \"logout is complete.\") or (process == \"sshd\") or (process == \"tccd\" and message contains \"Update Access Record\") or (message contains \"SessionAgentNotificationCenter\") or (process == \"screensharingd\" and message contains \"Authentication\") or (process == \"securityd\" and eventMessage contains \"Session\" and subsystem == \"com.apple.securityd\")",
+ "level": "info",
+ "type": [
+ "log",
+ "activity",
+ "trace"
+ ]
+ },
+ "ignore_binaries": "no",
+ "only-future-events": "yes",
+ "target": [
+ "agent"
+ ]
+ },
{
"logformat": "command",
"command": "df -P",
"alias": "df -P",
"ignore_binaries": "no",
- "target": ["agent"],
+ "target": [
+ "agent"
+ ],
"frequency": 360
},
{
@@ -14,7 +33,9 @@
"command": "netstat -tulpn | sed 's/\\([[:alnum:]]\\+\\)\\ \\+[[:digit:]]\\+\\ \\+[[:digit:]]\\+\\ \\+\\(.*\\):\\([[:digit:]]*\\)\\ \\+\\([0-9\\.\\:\\*]\\+\\).\\+\\ \\([[:digit:]]*\\/[[:alnum:]\\-]*\\).*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \\(.*\\) ==/:\\1/' | sed 1,2d",
"alias": "netstat listening ports",
"ignore_binaries": "no",
- "target": ["agent"],
+ "target": [
+ "agent"
+ ],
"frequency": 360
},
{
@@ -22,7 +43,9 @@
"command": "last -n 20",
"alias": "last -n 20",
"ignore_binaries": "no",
- "target": ["agent"],
+ "target": [
+ "agent"
+ ],
"frequency": 360
},
{
@@ -30,58 +53,141 @@
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/log/nginx/access.log",
"logformat": "apache",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/log/nginx/error.log",
"logformat": "apache",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/ossec/logs/active-responses.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/log/auth.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/log/syslog",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/log/dpkg.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
},
{
"file": "/var/log/kern.log",
"logformat": "syslog",
"ignore_binaries": "no",
"only-future-events": "yes",
- "target": ["agent"]
+ "target": [
+ "agent"
+ ]
+ },
+ {
+ "channel": "Application",
+ "logformat": "eventlog",
+ "ignore_binaries": "no",
+ "target": [
+ "agent"
+ ]
+ },
+ {
+ "channel": "Security",
+ "logformat": "eventchannel",
+ "query": {
+ "value": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]"
+ },
+ "ignore_binaries": "no",
+ "only-future-events": "yes",
+ "target": [
+ "agent"
+ ],
+ "reconnect_time": 5
+ },
+ {
+ "channel": "System",
+ "logformat": "eventlog",
+ "ignore_binaries": "no",
+ "target": [
+ "agent"
+ ]
+ },
+ {
+ "file": "active-response\\active-responses.log",
+ "logformat": "syslog",
+ "ignore_binaries": "no",
+ "only-future-events": "yes",
+ "target": [
+ "agent"
+ ]
+ },
+ {
+ "channel": "Microsoft-Windows-Sysmon/Operational",
+ "logformat": "eventchannel",
+ "ignore_binaries": "no",
+ "only-future-events": "yes",
+ "target": [
+ "agent"
+ ],
+ "reconnect_time": 5
+ },
+ {
+ "channel": "Microsoft-Windows-Windows Defender/Operational",
+ "logformat": "eventchannel",
+ "ignore_binaries": "no",
+ "only-future-events": "yes",
+ "target": [
+ "agent"
+ ],
+ "reconnect_time": 5
+ },
+ {
+ "file": "C:\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex240321.log",
+ "logformat": "iis",
+ "ignore_binaries": "no",
+ "only-future-events": "yes",
+ "target": [
+ "agent"
+ ]
}
]
},
"error": 0
-}
+}
\ No newline at end of file
diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js
new file mode 100644
index 0000000000..ebb7bb14dd
--- /dev/null
+++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection-macosevents.js
@@ -0,0 +1,128 @@
+/*
+ * Wazuh app - React component for show configuration of log collection - commands tab.
+ * Copyright (C) 2015-2022 Wazuh, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Find more information about this on the LICENSE file.
+ */
+
+import React, { Component, Fragment } from 'react';
+
+import WzNoConfig from '../util-components/no-config';
+import WzConfigurationSettingsHeader from '../util-components/configuration-settings-header';
+import WzConfigurationListSelector from '../util-components/configuration-settings-list-selector';
+import WzConfigurationSettingsGroup from '../util-components/configuration-settings-group';
+import { renderValueOrNoValue, isString } from '../utils/utils';
+import { settingsListBuilder } from '../utils/builders';
+import helpLinks from './help-links';
+import {
+ LOGCOLLECTOR_LOCALFILE_PROP,
+ LOCALFILE_MACOSEVENT_PROP,
+} from './types';
+
+/**
+ *
+ * @param {*} data => all log data
+ * @returns string => value to show in query input
+ */
+const queryValue = data => {
+ return typeof data === 'undefined'
+ ? '-'
+ : typeof data === 'object'
+ ? data.value
+ : data;
+};
+
+/**
+ * Returns targets array parsed in one string
+ * @param {*} item
+ * @returns string => target
+ */
+const renderTargetField = item =>
+ Array.isArray(item) ? item.join(', ') : 'agent';
+
+/**
+ * Return panels title
+ * @param {*} item => log data
+ * @returns
+ */
+const panelsLabel = item =>
+ `${item.logformat} - ${renderTargetField(item.target)}`;
+
+const mainSettings = [
+ { field: 'logformat', label: 'Log format' },
+ { field: 'query', label: 'Query value', render: queryValue },
+ { field: 'query.level', label: 'Query level', render: renderValueOrNoValue },
+ { field: 'query.type', label: 'Query type', render: renderValueOrNoValue },
+ {
+ field: 'ignore_binaries',
+ label: 'Ignore binaries',
+ render: renderValueOrNoValue,
+ },
+ {
+ field: 'only-future-events',
+ label: 'Only future events',
+ render: renderValueOrNoValue,
+ },
+];
+
+class WzConfigurationLogCollectionMacOSEvents extends Component {
+ constructor(props) {
+ super(props);
+ }
+ render() {
+ const { currentConfig } = this.props;
+ const items = currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+ LOCALFILE_MACOSEVENT_PROP
+ ]
+ ? settingsListBuilder(
+ currentConfig[LOGCOLLECTOR_LOCALFILE_PROP][LOCALFILE_MACOSEVENT_PROP],
+ panelsLabel,
+ )
+ : [];
+
+ return (
+
+ {isString(currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]) && (
+
+ )}
+ {!currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+ LOCALFILE_MACOSEVENT_PROP
+ ]?.length ? (
+
+ ) : null}
+ {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+ LOCALFILE_MACOSEVENT_PROP
+ ]?.length > 1 ? (
+
+
+
+ ) : null}
+ {currentConfig?.[LOGCOLLECTOR_LOCALFILE_PROP]?.[
+ LOCALFILE_MACOSEVENT_PROP
+ ]?.length === 1 ? (
+
+ ) : null}
+
+ );
+ }
+}
+
+export default WzConfigurationLogCollectionMacOSEvents;
diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js
index 4cdb32b286..52c0ee029a 100644
--- a/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js
+++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/log-collection.js
@@ -18,6 +18,7 @@ import WzTabSelector, {
import WzConfigurationLogCollectionLogs from './log-collection-logs';
import WzConfigurationLogCollectionCommands from './log-collection-commands';
import WzConfigurationLogCollectionWindowsEvents from './log-collection-windowsevents';
+import WzConfigurationLogCollectionMacOSEvents from './log-collection-macosevents';
import WzConfigurationLogCollectionSockets from './log-collection-sockets';
import withWzConfig from '../util-hocs/wz-config';
import { isString } from '../utils/utils';
@@ -26,6 +27,7 @@ import {
LOCALFILE_LOGS_PROP,
LOCALFILE_WINDOWSEVENT_PROP,
LOGCOLLECTOR_LOCALFILE_PROP,
+ LOCALFILE_MACOSEVENT_PROP,
} from './types';
class WzConfigurationLogCollection extends Component {
@@ -51,6 +53,9 @@ class WzConfigurationLogCollection extends Component {
item.logformat === 'eventchannel' ||
item.logformat === 'eventlog',
),
+ [LOCALFILE_MACOSEVENT_PROP]: currentConfig[
+ LOGCOLLECTOR_LOCALFILE_PROP
+ ].localfile.filter(item => item.logformat === 'macos'),
[LOCALFILE_COMMANDS_PROP]: currentConfig[
LOGCOLLECTOR_LOCALFILE_PROP
].localfile.filter(
@@ -92,6 +97,20 @@ class WzConfigurationLogCollection extends Component {
),
},
+ {
+ condition:
+ currentConfig[LOGCOLLECTOR_LOCALFILE_PROP] &&
+ currentConfig[LOGCOLLECTOR_LOCALFILE_PROP][LOCALFILE_MACOSEVENT_PROP]
+ .length > 0,
+ component: (
+
+
+
+ ),
+ },
{
condition:
currentConfig[LOGCOLLECTOR_LOCALFILE_PROP] &&
diff --git a/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js b/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js
index 27e32f111c..57d22b9412 100644
--- a/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js
+++ b/plugins/main/public/controllers/management/components/management/configuration/log-collection/types.js
@@ -1,7 +1,7 @@
-
export const LOGCOLLECTOR_LOCALFILE_PROP = 'logcollector-localfile';
export const LOGCOLLECTOR_SOCKET_PROP = 'logcollector-socket';
export const LOCALFILE_LOGS_PROP = 'localfile-logs';
export const LOCALFILE_WINDOWSEVENT_PROP = 'localfile-windowsevent';
-export const LOCALFILE_COMMANDS_PROP = 'localfile-commands';
\ No newline at end of file
+export const LOCALFILE_COMMANDS_PROP = 'localfile-commands';
+export const LOCALFILE_MACOSEVENT_PROP = 'localfile-macosevent';