Central Logging of Security Events on macOS
Ensure security events on macOS systems are logged centrally for monitoring.
Plain language
This control means that important security-related activities on your Apple computers (macOS) should be reported to a central location so they can be closely watched. This is vital because if these activities are not tracked, you might miss signs of a cyber attack, which could lead to data loss or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
Security-relevant events for Apple macOS operating systems are centrally logged.
Why it matters
Without central logging of macOS security events, threats may go unnoticed, leading to potential breaches and data theft.
Operational notes
Regularly confirm macOS security logs are forwarded to the central log server/SIEM; investigate gaps, failed forwarding, and time sync issues promptly.
Implementation tips
- The IT team should set up a logging system: They need to find software that can collect security-related information from all macOS computers. This can be done by installing a central logging tool that gathers logs and sends them to a secure location for monitoring.
- The IT manager should ensure compliance: They need to establish policies that require all macOS devices in the organisation to participate in central logging. This involves communicating the importance of logging to all users and ensuring they follow the policy.
- The system administrator should configure macOS devices: They need to set up each device to ensure it sends the correct logs to the central server. This could involve changing settings in macOS to enable and direct logs as needed.
- The security team should routinely check logs: They need to regularly review the logs collected in the central server to spot any unusual activity. This can be done using tools that highlight suspicious behaviour or patterns.
- The procurement team should select appropriate software: They need to purchase or subscribe to a reliable logging and monitoring solution that suits the organisation’s needs. This involves researching options, getting quotes, and discussing needs with the IT team.
Audit / evidence tips
-
Askthe central logging policy document: Request to see the policy that states all macOS devices must log security events centrally
GoodA recent policy document shared with all relevant staff
-
Aska sample of recent logs: Request logs from the central logging system for a specified recent period
GoodLogs that include timestamps, device IDs, and event details
-
Askthe list of monitoring tools used: Request a list of software and tools used for central logging and monitoring
GoodA comprehensive list with information on deployment and current usage
-
Askaccess review reports: Request reports showing reviews of the central logging access permissions
GoodA report showing limited access to authorised personnel only
-
Askevidence of security training: Request records or schedules of training provided to staff about the importance of central logging
GoodTraining logs showing recent sessions attended by IT and security teams
Cross-framework mappings
How ISM-1976 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.16 | ISM-1976 requires security-relevant events for Apple macOS operating systems to be centrally logged | |
| handshake Supports (1) expand_less | ||
| Annex A 5.28 | ISM-1976 requires security-relevant events on macOS to be centrally logged, improving availability and consistency of audit trails | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| handshake Supports (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.