Enable Auditing
$ /usr/bin/sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
Read Auditing Setting
LAUNCHD_RUNNING=$(/bin/launchctl list | /usr/bin/grep -c com.apple.auditd)
AUDITD_RUNNING=$(/usr/sbin/audit -c | /usr/bin/grep -c "AUC_AUDITING")
if [[ $LAUNCHD_RUNNING == 1 ]] && [[ -e /etc/security/audit_control ]] && [[ $AUDITD_RUNNING == 1 ]]; then
echo "pass"
else
echo "fail"
fi
Splunk
index=* host=myMacOSMachine | eval eventSize=len(_raw) | stats sum(eventSize) as totalBytes by sourcetype | eval totalKB=round(totalBytes/1024, 2) | eval totalMB=round(totalKB/1024, 2) | eval totalGB=round(totalMB/1024, 2) | fields sourcetype, totalBytes, totalKB, totalMB, totalGB
