Cribl Edge supports collecting Apple Unified Logs on macOS.

Type: Pull | TLS Support: N/A | Event Breaker Support: No

This Source is available only on Cribl Edge Nodes running on macOS.

Apple’s Unified Logging system writes structured log entries from the operating system and applications to a central store. You can use the Apple Unified Logs Source to stream those entries into Cribl Edge for processing and forwarding.

The Apple Unified Logs Source applies an NSPredicate filter to scope collection to specific subsystems, categories, or processes. The Source polls for new entries at a 5 second interval and delivers them as structured events for further processing and forwarding.

Configure Cribl Edge to Collect Apple Unified Logs ​

1. On the top bar, select Products, then select Cribl Edge. Under Fleets, select a Fleet. You have two options:

   • To configure via QuickConnect, navigate to Collect. Select Add Source, then select the Source you want from the list, choosing either Select Existing or Add New.
   • To configure via the Routes, select More > Sources. Select the Source you want, then select Add Source.

2. Configure the following under General Settings:

   • Input ID: Enter a unique name to identify this Source definition. If you clone this Source, Cribl Edge will add -CLONE to the original Input ID.

   • Description: Optionally, enter a description.

   • Predicate: Enter an NSPredicate expression to filter log entries. For example:

     • subsystem == "com.example.app" - collect entries from a specific subsystem.
     • category == "network" - collect entries from a specific category.
     • process == "Safari" - collect entries from a specific process.
     • subsystem == "com.example.app" AND category == "network" - combine conditions with AND or OR.

     See Common Log Types and Predicates for more examples of predicate expressions.

3. Next, you can configure the following Optional Settings:

   • Read mode: Select From last entry (the default) to read only new events. Select Entire Log to read all of the historical events and new events.
   • Tags: Optionally, add tags that you can use to filter and group Sources in Cribl Edge’s UI. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.

4. Optionally, adjust the Processing and Advanced settings, or Connected Destinations outlined in the sections below.

5. Select Save, then Commit & Deploy.

Processing Settings ​

Fields ​

In this section, you can define new fields or modify existing ones using JavaScript expressions, similar to the Eval function.

• The Field Name can either be a new field (unique within the event) or an existing field name to modify its value.
• The Value is a JavaScript expression (enclosed in quotes or backticks) to compute the field’s value (can be a constant). Select this field’s advanced mode icon (far right) if you’d like to open a modal where you can work with sample data and iterate on results.

This flexibility means you can:

• Add new fields to enrich the event.
• Modify existing fields by overwriting their values.
• Compute logic or transformations using JavaScript expressions.

Pre-Processing ​

In this section’s Pipeline drop-down list, you can select a single existing Pipeline or Pack to process data from this input before the data is sent through the Routes.

Advanced Settings ​

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Connected Destinations ​

Send to Routes: Enable conditional routing, filtering, and cloning of this Source’s data via the Routing table.

QuickConnect: Send this Source’s data to one or more Destinations via independent, direct connections.

Common Log Types and Predicates ​

Use the following predicates to filter common types of logs.