[macOS][unified_log] Initial release of macOS Unified logs integration.

[muskan-agarwal26]

Proposed commit message

The initial release includes unified_log data stream and associated dashboard.

macOS fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from live data samples.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

To test the macOS package:

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/macos directory.
• Run the following command to run tests.

elastic-package test

Run asset tests for the package
2025/10/29 15:10:56  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
--- Test results for package: macos - START ---
╭─────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                                                      │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ macos   │             │ asset     │ dashboard macos-4b49d421-2f03-4dd2-891f-cbd7e2786e35 is loaded │ PASS   │      1.622µs │
│ macos   │             │ asset     │ dashboard macos-4fae07f9-fff4-49d0-8ed6-54a63b4c6426 is loaded │ PASS   │        363ns │
│ macos   │ unified_log │ asset     │ index_template logs-macos.unified_log is loaded                │ PASS   │        739ns │
│ macos   │ unified_log │ asset     │ ingest_pipeline logs-macos.unified_log-0.1.0 is loaded         │ PASS   │        213ns │
╰─────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: macos - END   ---
Done
Run pipeline tests for the package
--- Test results for package: macos - START ---
╭─────────┬─────────────┬───────────┬─────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                                   │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼─────────────────────────────────────────────┼────────┼──────────────┤
│ macos   │ unified_log │ pipeline  │ (ingest pipeline warnings test-unified.log) │ PASS   │ 708.724132ms │
│ macos   │ unified_log │ pipeline  │ test-unified.log                            │ PASS   │ 964.410061ms │
╰─────────┴─────────────┴───────────┴─────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: macos - END   ---
Done
Run policy tests for the package
--- Test results for package: macos - START ---
No test results
--- Test results for package: macos - END   ---
Done
Run static tests for the package
--- Test results for package: macos - START ---
No test results
--- Test results for package: macos - END   ---
Done
Run system tests for the package
--- Test results for package: macos - START ---
No test results
--- Test results for package: macos - END   ---
Done

Related issues

• Relates [New Integration] macOS Security Events #15444
• Relates Enabling "Include Source" in Custom macOS Unified Logs Integration Causes Agent Failure beats#47296

Screenshots

[cpascale43]

This is a good start, but I don't think it's complete enough or shows the right metrics for a security analyst -

The total request/response/network bytes aren't that useful without time context or comparative baselines.

Same feedback for "Events by response status" and "Events by privacy status" - these are basically saying "everything worked" but don't give actionable info.

Also, re the top source IP datatable - it doesn't show which processes are communicating, destination IPs, protocols/ports or time of activity which are more relevant...

Can we try editing some of this @muskan-agarwal26 @piyush-elastic - can you let me know if any of these visualizations are possible based on the information available in the logs?

• "Network connections over time" (maybe an area chart?) showing connections/minute, color-coded by new/established/closed
• "Active network connections" table showing process, local port, remote IP, state, duration
• "Top external destinations" table showing domains/IPs and # of connections

cc @jamiehynds

[muskan-agarwal26]

Sure, @cpascale43 , I’ll follow your suggestions and make the necessary changes.

[cpascale43]

Similar feedback to the Network dashboard - can we make sure this has more security context?

The biggest enhancements would be an events timeline, and a more security-specific events breakdown table.

The pie charts up top aren't very meaningful on their own, so I think we could replace them with an area chart showing aggregated security events over time. Is there a way a user could see key events represented on the top and when they occurred, like

• "3 failed authentication attempts at 12:23"
• "New process launched from /tmp at 9:15"

Also, the "Events by Subsystem" and "Events by Category" bar charts are a bit strange - I think it would be more useful to bucket the events into categories like "Authentication", "Process", "Network", "File system" etc, in line with the categories outlined in the issue.

Can we make a "Security Event Types" table showing a breakdown of the number of events per category? Something like

Authentication Events
---------
- Successful logins | 45
- Failed logins | 3
- Privilege escalation | 12