Google Santa

Collect logs from Google Santa with Elastic Agent.

Version
3.20.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The Google Santa integration collects and parses logs from Google Santa, a security tool for macOS that monitors process executions and can blacklist/whitelist binaries.

Compatibility

The Google Santa integration was tested with logs from Santa 2022.4.

Google Santa is available for MacOS only.

The integration is by default configured to read logs from /var/db/santa/santa.log.

Logs

Google Santa log

This is the Google Santa log dataset.

An example event for log looks as following:

{
    "@timestamp": "2022-05-12T11:30:05.248Z",
    "agent": {
        "ephemeral_id": "7f9603e8-5411-4ed1-acdc-d842f98e5c8b",
        "id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6",
        "name": "elastic-agent-97786",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "santa.log",
        "namespace": "85590",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "action": "link",
        "agent_id_status": "verified",
        "dataset": "santa.log",
        "ingested": "2024-10-01T13:57:49Z",
        "kind": "event"
    },
    "file": {
        "path": "/private/var/db/santa/santa.log",
        "target_path": "/private/var/db/santa/santa.log.0"
    },
    "group": {
        "id": "0",
        "name": "wheel"
    },
    "host": {
        "architecture": "aarch64",
        "containerized": false,
        "hostname": "elastic-agent-97786",
        "id": "8269eab9370b4429947d2a16c3058fcb",
        "ip": [
            "172.19.0.2",
            "172.18.0.4"
        ],
        "mac": [
            "02-42-AC-12-00-04",
            "02-42-AC-13-00-02"
        ],
        "name": "elastic-agent-97786",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "6.10.0-linuxkit",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.6 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "log"
    },
    "log": {
        "file": {
            "path": "/tmp/service_logs/santa.log"
        },
        "level": "I",
        "offset": 1150
    },
    "process": {
        "args": [
            "/usr/sbin/newsyslog"
        ],
        "entity_id": "fa4b2c2b-d00f-4e96-aaf3-d5de2b8544e6-71559-1096716",
        "executable": "/usr/sbin/newsyslog",
        "name": "newsyslog",
        "parent": {
            "pid": 1
        },
        "pid": 71559,
        "start": "2022-05-12T11:30:05.248Z"
    },
    "related": {
        "user": [
            "root"
        ]
    },
    "santa": {
        "action": "LINK",
        "pidversion": 1096716
    },
    "tags": [
        "santa-log"
    ],
    "user": {
        "id": "0",
        "name": "root"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
santa.action
Action
keyword
santa.certificate.common_name
Common name from code signing certificate.
keyword
santa.certificate.sha256
SHA256 hash of code signing certificate.
keyword
santa.decision
Decision that santad took.
keyword
santa.disk.appearance
Timestamp for volume operation.
date
santa.disk.bsdname
The disk BSD name.
keyword
santa.disk.bus
The disk bus protocol.
keyword
santa.disk.dmgpath
The DMG (disk image) path.
keyword
santa.disk.fs
The disk volume kind (filesystem type).
keyword
santa.disk.model
The disk model.
keyword
santa.disk.mount
The disk volume path.
keyword
santa.disk.serial
The disk serial number.
keyword
santa.disk.volume
The volume name.
keyword
santa.event.uid
Event UID.
keyword
santa.event.user
Event user.
keyword
santa.explain
Further details for the decision.
keyword
santa.graphical_session_id
The graphical session ID.
long
santa.mode
Operating mode of Santa.
keyword
santa.pidversion
macOS process identity version.
long
santa.reason
Reason for the decision.
keyword
santa.team_id
Team ID.
keyword

Changelog

VersionDetailsKibana version(s)

3.20.0

Enhancement View pull request
Update ingest pipeline to avoid failures with unexpected log formats.

8.13.0 or higher

3.19.1

Bug fix View pull request
Use triple-brace Mustache templating when referencing variables in ingest pipelines.

8.13.0 or higher

3.19.0

Enhancement View pull request
Add support for team ID field.

8.13.0 or higher

3.18.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

3.17.0

Enhancement View pull request
Update manifest format version to v3.0.3.

8.7.1 or higher

3.16.2

Enhancement View pull request
Changed owners

8.7.1 or higher

3.16.1

Bug fix View pull request
Fix exclude_files pattern.

8.7.1 or higher

3.16.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.7.1 or higher

3.15.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.7.1 or higher

3.14.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.7.1 or higher

3.13.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

8.7.1 or higher

3.12.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

3.11.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

3.10.0

Enhancement View pull request
Convert dashboards to Lens.

8.7.1 or higher

3.9.0

Enhancement View pull request
Update to package-spec 2.9.0.

8.1.0 or higher

3.8.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.1.0 or higher

3.7.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.1.0 or higher

3.6.0

Enhancement View pull request
Update package to ECS 8.7.0.

8.1.0 or higher

3.5.1

Enhancement View pull request
Added categories and/or subcategories.

8.1.0 or higher

3.5.0

Enhancement View pull request
Update package to ECS 8.6.0.

8.1.0 or higher

3.4.1

Enhancement View pull request
Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load

8.1.0 or higher

3.4.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.17.0 or higher
8.0.0 or higher

3.3.0

Enhancement View pull request
Update package to ECS 8.4.0

7.17.0 or higher
8.0.0 or higher

3.2.1

Enhancement View pull request
Update package name and description to align with standard wording

7.17.0 or higher
8.0.0 or higher

3.2.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.17.0 or higher
8.0.0 or higher

3.1.0

Enhancement View pull request
Add process.entity_id field.

7.17.0 or higher
8.0.0 or higher

3.0.0

Enhancement View pull request
Update log format to support the GA releases of Santa. The pre-GA Santa log format (circa 2017) is no longer accepted.

2.1.0

Enhancement View pull request
Update to ECS 8.2

7.17.0 or higher
8.0.0 or higher

2.0.1

Enhancement View pull request
Add documentation for multi-fields

7.17.0 or higher
8.0.0 or higher

2.0.0

Enhancement View pull request
Update to ECS 8.0

Enhancement View pull request
process.ppid replaced with process.parent.pid (breaking change)

7.17.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Add 8.0.0 version constraint

7.16.0 or higher
8.0.0 or higher

1.0.3

Enhancement View pull request
Uniform with guidelines

7.16.0 or higher

1.0.2

Enhancement View pull request
Update Title and Description.

7.16.0 or higher

1.0.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

1.0.0

Enhancement View pull request
make GA

0.4.0

Enhancement View pull request
Update to ECS 1.12.0

0.3.2

Enhancement View pull request
Convert to generated ECS fields

0.3.1

Enhancement View pull request
update to ECS 1.11.0

0.3.0

Enhancement View pull request
Update integration description

0.2.0

Enhancement View pull request
Set "event.module" and "event.dataset"

0.1.0

Enhancement View pull request
update to ECS 1.10.0 and adding event.original options

0.0.3

Enhancement View pull request
update to ECS 1.9.0

0.0.2

Enhancement View pull request
Fix compatibility with Kibana

0.0.1

Enhancement View pull request
initial release

On this page