Monitoring macOS Resources with Wazuh#

Introduction#

Monitoring macOS resources provides organizations with critical insights into endpoint performance and potential security issues. By tracking system resource utilization, IT teams can identify performance bottlenecks, detect anomalous behavior that may indicate security threats, and optimize resource allocation across their macOS fleet.

Wazuh, an open source XDR platform, enables comprehensive monitoring of macOS endpoints through its command monitoring capabilities and customizable alerting system. This integration provides:

🔍 Real-time Resource Tracking: Monitor CPU, memory, disk, and network usage
📊 Performance Metrics: Collect and analyze detailed system performance data
🚨 Proactive Alerting: Get notified when resources exceed defined thresholds
📈 Historical Analysis: Track resource usage trends over time
🛡️ Security Insights: Detect resource anomalies that may indicate threats

macOS Performance Metrics#

Key Metrics to Monitor#

Understanding macOS performance requires tracking several critical metrics:

1. CPU Usage#

CPU usage represents the percentage of processor capacity being utilized. macOS categorizes CPU usage into:

User: Time spent running user processes
System: Time spent running kernel operations
Idle: Unused CPU capacity

1
top -l 1 | grep 'CPU usage'
2
# Output: CPU usage: 23.33% user, 75.0% sys, 1.66% idle

Calculation:

1
Total CPU (%) = user + sys + idle
2
Total CPU usage (%) = ((user + sys) * 100) / Total CPU

2. CPU Load#

CPU load measures the number of processes using or waiting for processor time:

1
top -l 1 | grep 'Load Avg'
2
# Output: Load Avg: 1.84, 1.75, 1.80

Where:

1.84 = 1-minute average
1.75 = 5-minute average
1.80 = 15-minute average

3. Memory Utilization#

Memory usage shows the percentage of RAM currently in use:

1
top -l 1 | grep PhysMem
2
# Output: PhysMem: 3027M used (588M wired, 13M compressor), 1068M unused.

Calculation:

1
MemUsed = app memory + wired memory + compressed
2
Memory utilization (%) = (MemUsed * 100) / (MemUsed + MemUnused)

4. Disk Usage#

Disk usage indicates the percentage of storage space occupied:

1
df -h /
2
# Output: /dev/disk1s5s1   80Gi  8.4Gi   63Gi    12%   /

Calculation:

1
Total usable (Gi) = DiskUsed + DiskAvailable
2
Disk usage (%) = (DiskUsed * 100) / Total usable

5. Network Utilization#

Network utilization measures bandwidth usage:

1
top -l 1 | grep Networks
2
# Output: Networks: packets: 13108/2660K in, 12579/2722K out.

Architecture Overview#

1
flowchart TB
2
    subgraph "macOS Endpoint"
3
        T1[System Commands]
4
        T2[top, df, uptime]
5
        T3[Command Output]
6
    end
7

8
    subgraph "Wazuh Agent"
9
        C1[Command Module]
10
        C2[Log Collection]
11
        C3[Event Generation]
12
    end
13

14
    subgraph "Wazuh Server"
15
        D1[Decoders]
16
        R1[Rules Engine]
17
        A1[Alert Generation]
18
    end
19

20
    subgraph "Wazuh Dashboard"
21
        V1[Visualizations]
22
        DB1[Dashboards]
23
        AL1[Alerts Display]
24
    end
25

26
    T1 --> T2
27
    T2 --> T3
28
    T3 --> C1
29
    C1 --> C2
30
    C2 --> C3
31
    C3 --> D1
32
    D1 --> R1
33
    R1 --> A1
34
    A1 --> V1
35
    A1 --> DB1
36
    A1 --> AL1
37

38
    style C1 fill:#51cf66
39
    style R1 fill:#4dabf7
40
    style DB1 fill:#ffd43b

Implementation Guide#

Prerequisites#

Wazuh Server: Version 4.4.4+ with all components
macOS Endpoint: macOS 13.4+ with Wazuh agent 4.4.4 installed
Permissions: Administrative access on macOS endpoint

Phase 1: Configure Command Monitoring on macOS#

Edit /Library/Ossec/etc/ossec.conf and add the following configurations within the <ossec_config> block:

1
<!-- CPU usage: percentage -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>top -l 1 | grep 'CPU usage' | awk '{print ($3+$5)*100/($3+$5+$7)}'</command>
5
  <alias>CPU_health</alias>
6
  <out_format>$(timestamp) $(hostname) CPU_health: $(log)</out_format>
7
  <frequency>30</frequency>
8
</localfile>
9

10
<!-- memory usage: percentage -->
11
<localfile>
12
  <log_format>full_command</log_format>
13
  <command>top -l 1 | grep PhysMem | awk '$NF=="unused."{print ($2*100)/($2+$(NF-1))}'</command>
14
  <alias>memory_health</alias>
15
  <out_format>$(timestamp) $(hostname) memory_health: $(log)</out_format>
16
  <frequency>30</frequency>
17
</localfile>
18

19
<!-- disk usage: percentage -->
20
<localfile>
21
  <log_format>full_command</log_format>
22
  <command>df -h | awk '$NF=="/"{print $3*100/($3+$4)}'</command>
23
  <alias>disk_health</alias>
24
  <out_format>$(timestamp) $(hostname) disk_health: $(log)</out_format>
25
  <frequency>30</frequency>
26
</localfile>
27

28
<!-- CPU usage metrics -->
29
<localfile>
30
  <log_format>full_command</log_format>
31
  <command>top -l 1 | grep 'CPU usage' | awk '{print $3, $5, ($3+$5)*100/($3+$5+$7)"%", $7}'</command>
32
  <alias>cpu_metrics</alias>
33
  <out_format>$(timestamp) $(hostname) cpu_usage_check: $(log)</out_format>
34
  <frequency>30</frequency>
35
</localfile>
36

37
<!-- load average metrics -->
38
<localfile>
39
  <log_format>full_command</log_format>
40
  <command>top -l 1 | grep 'Load Avg' | awk '{print $3, $4, $5}'</command>
41
  <alias>load_average_metrics</alias>
42
  <out_format>$(timestamp) $(hostname) load_average_check: $(log)</out_format>
43
  <frequency>30</frequency>
44
</localfile>
45

46
<!-- memory metrics -->
47
<localfile>
48
  <log_format>full_command</log_format>
49
  <command>top -l 1 | grep PhysMem | awk '$NF=="unused."{print $2,$(NF-1)}'</command>
50
  <alias>memory_metrics</alias>
51
  <out_format>$(timestamp) $(hostname) memory_check: $(log)</out_format>
52
  <frequency>30</frequency>
53
</localfile>
54

55
<!-- disk metrics -->
56
<localfile>
57
  <log_format>full_command</log_format>
58
  <command>df -h | awk '$NF=="/"{print $2,$3,$4,$3+$4"Gi"}'</command>
59
  <alias>disk_metrics</alias>
60
  <out_format>$(timestamp) $(hostname) disk_check: $(log)</out_format>
61
  <frequency>30</frequency>
62
</localfile>
63

64
<!-- network metrics -->
65
<localfile>
66
  <log_format>full_command</log_format>
67
  <command>top -l 1 | grep Networks | awk '$NF=="out."{print $3,$5}'</command>
68
  <alias>network_metrics</alias>
69
  <out_format>$(timestamp) $(hostname) network_check: $(log)</out_format>
70
  <frequency>30</frequency>
71
</localfile>

Restart the Wazuh agent:

1
sudo /Library/Ossec/bin/wazuh-control restart

Phase 2: Configure Wazuh Server#

Add Custom Decoders#

Add to /var/ossec/etc/decoders/local_decoder.xml:

1
<!-- CPU health check -->
2
<decoder name="CPU_health">
3
    <program_name>CPU_health</program_name>
4
</decoder>
5

6
<decoder name="CPU_health_sub">
7
  <parent>CPU_health</parent>
8
  <prematch>ossec: output: 'CPU_health':\.</prematch>
9
  <regex offset="after_prematch">(\S+)</regex>
10
  <order>cpu_usage_%</order>
11
</decoder>
12

13
<!-- Memory health check -->
14
<decoder name="memory_health">
15
    <program_name>memory_health</program_name>
16
</decoder>
17

18
<decoder name="memory_health_sub">
19
  <parent>memory_health</parent>
20
  <prematch>ossec: output: 'memory_health':\.</prematch>
21
  <regex offset="after_prematch">(\S+)</regex>
22
  <order>memory_usage_%</order>
23
</decoder>
24

25
<!-- Disk health check -->
26
<decoder name="disk_health">
27
    <program_name>disk_health</program_name>
28
</decoder>
29

30
<decoder name="disk_health_sub">
31
  <parent>disk_health</parent>
32
  <prematch>ossec: output: 'disk_health':\.</prematch>
33
  <regex offset="after_prematch">(\S+)</regex>
34
  <order>disk_usage_%</order>
35
</decoder>
36

37
<!-- CPU usage metrics -->
38
<decoder name="cpu_usage_check">
39
    <program_name>cpu_usage_check</program_name>
40
</decoder>
41

42
<decoder name="cpu_usage_check_sub">
43
  <parent>cpu_usage_check</parent>
44
  <prematch>ossec: output: 'cpu_metrics':\.</prematch>
45
  <regex offset="after_prematch">(\S+%) (\S+%) (\S+) (\S+%)</regex>
46
  <order>userCPU_usage_%, sysCPU_usage_%, totalCPU_used_%, idleCPU_%</order>
47
</decoder>
48

49
<!-- Load average metrics -->
50
<decoder name="load_average_check">
51
    <program_name>load_average_check</program_name>
52
</decoder>
53

54
<decoder name="load_average_check_sub">
55
  <parent>load_average_check</parent>
56
  <prematch>ossec: output: 'load_average_metrics':\.</prematch>
57
  <regex offset="after_prematch">(\S+), (\S+), (\S+)</regex>
58
  <order>1min_loadAverage, 5mins_loadAverage, 15mins_loadAverage</order>
59
</decoder>
60

61
<!-- Memory metrics -->
62
<decoder name="memory_check">
63
    <program_name>memory_check</program_name>
64
</decoder>
65

66
<decoder name="memory_check_sub">
67
  <parent>memory_check</parent>
68
  <prematch>ossec: output: 'memory_metrics':\.</prematch>
69
  <regex offset="after_prematch">(\S+) (\S+)</regex>
70
  <order>memory_used_bytes, memory_available_bytes</order>
71
</decoder>
72

73
<!-- Disk metrics -->
74
<decoder name="disk_check">
75
    <program_name>disk_check</program_name>
76
</decoder>
77

78
<decoder name="disk_check_sub">
79
  <parent>disk_check</parent>
80
  <prematch>ossec: output: 'disk_metrics':\.</prematch>
81
  <regex offset="after_prematch">(\S+) (\S+) (\S+) (\S+)</regex>
82
  <order>total_disk_size, disk_used, disk_free, total_usable</order>
83
</decoder>
84

85
<!-- Network metrics -->
86
<decoder name="network_check">
87
    <program_name>network_check</program_name>
88
</decoder>
89

90
<decoder name="network_check_sub">
91
  <parent>network_check</parent>
92
  <prematch>ossec: output: 'network_metrics':\.</prematch>
93
  <regex offset="after_prematch">(\S+) (\S+)</regex>
94
  <order>network_in, network_out</order>
95
</decoder>

Add Detection Rules#

Add to /var/ossec/etc/rules/local_rules.xml:

1
<group name="performance_metric,">
2
  <!-- High memory usage -->
3
  <rule id="100101" level="12">
4
    <decoded_as>memory_health</decoded_as>
5
    <field type="pcre2" name="memory_usage_%">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
6
    <description>Memory usage is high: $(memory_usage_%)%</description>
7
    <options>no_full_log</options>
8
  </rule>
9

10
  <!-- High CPU usage -->
11
  <rule id="100102" level="12">
12
    <decoded_as>CPU_health</decoded_as>
13
    <field type="pcre2" name="cpu_usage_%">^(0*[8-9]\d|0*[1-9]\d{2,})</field>
14
    <description>CPU usage is high: $(cpu_usage_%)%</description>
15
    <options>no_full_log</options>
16
  </rule>
17

18
  <!-- High disk usage -->
19
  <rule id="100103" level="12">
20
    <decoded_as>disk_health</decoded_as>
21
    <field type="pcre2" name="disk_usage_%">^(0*[7-9]\d|0*[1-9]\d{2,})</field>
22
    <description>Disk space is running low: $(disk_usage_%)%</description>
23
    <options>no_full_log</options>
24
  </rule>
25

26
  <!-- CPU usage check -->
27
  <rule id="100104" level="3">
28
    <decoded_as>cpu_usage_check</decoded_as>
29
    <description>CPU usage metrics: $(totalCPU_used_%) of CPU is in use</description>
30
  </rule>
31

32
  <!-- Load average check -->
33
  <rule id="100105" level="3">
34
    <decoded_as>load_average_check</decoded_as>
35
    <description>Load average metrics: $(1min_loadAverage) for last 1 minute</description>
36
  </rule>
37

38
  <!-- Memory check -->
39
  <rule id="100106" level="3">
40
    <decoded_as>memory_check</decoded_as>
41
    <description>Memory metrics: $(memory_used_bytes) of memory is in use</description>
42
  </rule>
43

44
  <!-- Disk check -->
45
  <rule id="100107" level="3">
46
    <decoded_as>disk_check</decoded_as>
47
    <description>Disk metrics: $(disk_used) of storage is in use</description>
48
  </rule>
49

50
  <!-- Network check -->
51
  <rule id="100108" level="3">
52
    <decoded_as>network_check</decoded_as>
53
    <description>Network metrics: $(network_in) inbound | $(network_out) outbound</description>
54
  </rule>
55
</group>

Restart the Wazuh manager:

1
sudo systemctl restart wazuh-manager

Phase 3: Configure Wazuh Dashboard#

Refresh Index Pattern#

The new custom fields may appear as unknown. To fix this:

Navigate to Stack Management → Index Patterns → wazuh-alerts-*
Click the refresh button to update the index pattern
Verify that custom fields are now recognized

Create Event Queries#

CPU Usage Query:

Enter filter: rule.id:100104
Select fields: data.userCPU_usage_%, data.sysCPU_usage_%, data.totalCPU_used_%, data.idleCPU_%

CPU Load Query:

Enter filter: rule.id:100105
Select fields: data.1min_loadAverage, data.5min_loadAverage, data.15mins_loadAverage

Memory Utilization Query:

Enter filter: rule.id:100106
Select fields: data.memory_used_bytes, data.memory_available_bytes

Disk Usage Query:

Enter filter: rule.id:100107
Select fields: data.disk_used, data.disk_free, data.total_usable, data.total_disk_size

Network Utilization Query:

Enter filter: rule.id:100108
Select fields: data.network_in, data.network_out

Advanced Configuration#

Custom Thresholds by Time#

1
<!-- Alert on high CPU during business hours -->
2
<rule id="100109" level="10">
3
  <decoded_as>CPU_health</decoded_as>
4
  <field type="pcre2" name="cpu_usage_%">^(0*[6-9]\d|0*[1-9]\d{2,})</field>
5
  <time>8:00 am - 6:00 pm</time>
6
  <weekday>monday,tuesday,wednesday,thursday,friday</weekday>
7
  <description>High CPU usage during business hours: $(cpu_usage_%)%</description>
8
</rule>
9

10
<!-- Critical memory usage -->
11
<rule id="100110" level="14">
12
  <decoded_as>memory_health</decoded_as>
13
  <field type="pcre2" name="memory_usage_%">^(0*9[5-9]|0*100)</field>
14
  <description>Critical memory usage: $(memory_usage_%)%</description>
15
  <options>alert_by_email</options>
16
</rule>

Performance Baseline Monitoring#

1
<!-- Detect unusual load patterns -->
2
<rule id="100111" level="8">
3
  <decoded_as>load_average_check</decoded_as>
4
  <field type="pcre2" name="1min_loadAverage">^([5-9]\.|[1-9]\d+\.)</field>
5
  <description>Unusual system load detected: $(1min_loadAverage)</description>
6
</rule>
7

8
<!-- Rapid disk usage increase -->
9
<rule id="100112" level="10" frequency="3" timeframe="300">
10
  <if_sid>100107</if_sid>
11
  <description>Rapid disk usage increase detected</description>
12
</rule>

Application-Specific Monitoring#

1
<!-- Monitor specific processes -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>ps aux | grep -E 'Chrome|Safari|Firefox' | awk '{sum+=$3} END {print sum}'</command>
5
  <alias>browser_cpu_usage</alias>
6
  <out_format>$(timestamp) $(hostname) browser_cpu: $(log)</out_format>
7
  <frequency>60</frequency>
8
</localfile>
9

10
<!-- Monitor Docker resources -->
11
<localfile>
12
  <log_format>full_command</log_format>
13
  <command>docker stats --no-stream --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" 2>/dev/null || echo "No Docker"</command>
14
  <alias>docker_stats</alias>
15
  <out_format>$(timestamp) $(hostname) docker_stats: $(log)</out_format>
16
  <frequency>60</frequency>
17
</localfile>

Creating Custom Visualizations#

Performance Dashboard Components#

1
{
2
  "visualization": {
3
    "title": "macOS Resource Usage Timeline",
4
    "visState": {
5
      "type": "line",
6
      "params": {
7
        "grid": {
8
          "categoryLines": false,
9
          "style": {
10
            "color": "#eee"
11
          }
12
        },
13
        "categoryAxes": [{
14
          "id": "CategoryAxis-1",
15
          "type": "category",
16
          "position": "bottom",
17
          "show": true,
18
          "style": {},
19
          "scale": {
20
            "type": "linear"
21
          },
22
          "labels": {
23
            "show": true,
24
            "truncate": 100
25
          },
26
          "title": {}
27
        }],
28
        "valueAxes": [{
29
          "id": "ValueAxis-1",
30
          "name": "LeftAxis-1",
31
          "type": "value",
32
          "position": "left",
33
          "show": true,
34
          "style": {},
35
          "scale": {
36
            "type": "linear",
37
            "mode": "normal"
38
          },
39
          "labels": {
40
            "show": true,
41
            "rotate": 0,
42
            "filter": false,
43
            "truncate": 100
44
          },
45
          "title": {
46
            "text": "Usage %"
47
          }
48
        }],
49
        "seriesParams": [{
50
          "show": true,
51
          "type": "line",
52
          "mode": "normal",
53
          "data": {
54
            "label": "CPU Usage",
55
            "id": "1"
56
          },
57
          "valueAxis": "ValueAxis-1",
58
          "drawLinesBetweenPoints": true,
59
          "showCircles": true
60
        },
61
        {
62
          "show": true,
63
          "type": "line",
64
          "mode": "normal",
65
          "data": {
66
            "label": "Memory Usage",
67
            "id": "2"
68
          },
69
          "valueAxis": "ValueAxis-1",
70
          "drawLinesBetweenPoints": true,
71
          "showCircles": true
72
        }]
73
      }
74
    }
75
  }
76
}

Resource Heatmap#

1
{
2
  "visualization": {
3
    "title": "Resource Usage Heatmap",
4
    "visState": {
5
      "type": "heatmap",
6
      "params": {
7
        "type": "heatmap",
8
        "addTooltip": true,
9
        "addLegend": true,
10
        "enableHover": false,
11
        "legendPosition": "right",
12
        "times": [],
13
        "colorsNumber": 5,
14
        "colorSchema": "Reds",
15
        "setColorRange": false,
16
        "colorsRange": [],
17
        "invertColors": false,
18
        "percentageMode": false,
19
        "valueAxes": [{
20
          "show": false,
21
          "id": "ValueAxis-1",
22
          "type": "value",
23
          "scale": {
24
            "type": "linear",
25
            "defaultYExtents": false
26
          },
27
          "labels": {
28
            "show": false,
29
            "rotate": 0,
30
            "overwriteColor": false,
31
            "color": "#555"
32
          }
33
        }]
34
      }
35
    }
36
  }
37
}

Monitoring Best Practices#

1. Baseline Establishment#

1
#!/bin/bash
2
# Collect baseline metrics for 24 hours
3

4
LOG_FILE="/tmp/macos_baseline_$(date +%Y%m%d).log"
5

6
echo "Starting baseline collection..."
7
for i in {1..2880}; do  # 24 hours at 30-second intervals
8
    echo "$(date): $(top -l 1 | grep -E 'CPU usage|PhysMem|Load Avg')" >> "$LOG_FILE"
9
    sleep 30
10
done
11

12
# Analyze baseline
13
echo "Baseline Statistics:"
14
awk '/CPU usage/ {
15
    gsub(/%/, "", $3); gsub(/%/, "", $5); gsub(/%/, "", $7)
16
    cpu_user += $3; cpu_sys += $5; cpu_idle += $7; count++
17
} END {
18
    print "Average CPU User:", cpu_user/count"%"
19
    print "Average CPU System:", cpu_sys/count"%"
20
    print "Average CPU Idle:", cpu_idle/count"%"
21
}' "$LOG_FILE"

2. Alert Tuning#

1
<!-- Dynamic thresholds based on time and day -->
2
<rule id="100113" level="8">
3
  <decoded_as>CPU_health</decoded_as>
4
  <field type="pcre2" name="cpu_usage_%">^(0*[4-9]\d|0*[1-9]\d{2,})</field>
5
  <time>2:00 am - 6:00 am</time>
6
  <description>Unusual CPU activity during quiet hours: $(cpu_usage_%)%</description>
7
</rule>
8

9
<!-- Correlate multiple resource issues -->
10
<rule id="100114" level="12" frequency="2" timeframe="300">
11
  <if_sid>100101,100102</if_sid>
12
  <description>Multiple resource constraints detected</description>
13
</rule>

3. Performance Optimization#

1
Optimization Strategies:
2
  Command Frequency:
3
    - Critical metrics: 30 seconds
4
    - Standard metrics: 60 seconds
5
    - Historical data: 300 seconds
6

7
  Data Retention:
8
    - Real-time alerts: 7 days
9
    - Performance metrics: 30 days
10
    - Aggregated data: 90 days
11

12
  Resource Impact:
13
    - Use lightweight commands
14
    - Avoid complex calculations
15
    - Implement command result caching

Troubleshooting#

Common Issues and Solutions#

Issue 1: Commands Not Executing#

1
# Verify command execution
2
sudo -u _wazuh /Library/Ossec/bin/wazuh-control info
3

4
# Check command permissions
5
ls -la /Library/Ossec/etc/ossec.conf
6

7
# Test command manually
8
sudo -u _wazuh top -l 1 | grep 'CPU usage'

Issue 2: High Resource Consumption by Monitoring#

1
<!-- Reduce monitoring frequency -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>top -l 1 | grep 'CPU usage' | awk '{print ($3+$5)*100/($3+$5+$7)}'</command>
5
  <alias>CPU_health</alias>
6
  <out_format>$(timestamp) $(hostname) CPU_health: $(log)</out_format>
7
  <frequency>120</frequency>  <!-- Increased from 30 to 120 seconds -->
8
</localfile>

Issue 3: Custom Fields Not Appearing#

1
# Force index pattern refresh
2
curl -X POST "localhost:9200/wazuh-alerts-*/_refresh"
3

4
# Verify field mapping
5
curl -X GET "localhost:9200/wazuh-alerts-*/_mapping/field/data.cpu_usage_%"

Integration Examples#

1. Slack Notifications#

1
#!/usr/bin/env python3
2
import requests
3
import json
4

5
def send_slack_alert(webhook_url, alert_data):
6
    """Send resource alerts to Slack"""
7

8
    # Determine severity color
9
    if alert_data['rule']['level'] >= 12:
10
        color = "danger"
11
    elif alert_data['rule']['level'] >= 8:
12
        color = "warning"
13
    else:
14
        color = "good"
15

16
    message = {
17
        "attachments": [{
18
            "color": color,
19
            "title": f"macOS Resource Alert - {alert_data['agent']['name']}",
20
            "fields": [
21
                {
22
                    "title": "Alert",
23
                    "value": alert_data['rule']['description'],
24
                    "short": False
25
                },
26
                {
27
                    "title": "Hostname",
28
                    "value": alert_data['agent']['name'],
29
                    "short": True
30
                },
31
                {
32
                    "title": "Time",
33
                    "value": alert_data['timestamp'],
34
                    "short": True
35
                }
36
            ]
37
        }]
38
    }
39

40
    requests.post(webhook_url, json=message)

2. Automated Response#

1
#!/bin/bash
2
# Auto-remediation script for high resource usage
3

4
ALERT_FILE="$1"
5
RULE_ID=$(jq -r '.rule.id' "$ALERT_FILE")
6

7
case "$RULE_ID" in
8
    "100101")  # High memory
9
        echo "Clearing caches..."
10
        sudo purge
11
        ;;
12
    "100102")  # High CPU
13
        echo "Identifying top CPU consumers..."
14
        ps aux | sort -nrk 3,3 | head -10
15
        ;;
16
    "100103")  # Low disk space
17
        echo "Cleaning up disk space..."
18
        rm -rf ~/Library/Caches/*
19
        rm -rf /private/var/log/asl/*.asl
20
        ;;
21
esac

Performance Metrics Analysis#

Resource Correlation#

1
#!/usr/bin/env python3
2
import json
3
from datetime import datetime, timedelta
4

5
def analyze_resource_correlation(log_file):
6
    """Analyze correlation between different resource metrics"""
7

8
    metrics = {
9
        'cpu': [],
10
        'memory': [],
11
        'disk': [],
12
        'timestamps': []
13
    }
14

15
    with open(log_file, 'r') as f:
16
        for line in f:
17
            try:
18
                data = json.loads(line)
19
                if data['rule']['id'] == '100104':
20
                    metrics['cpu'].append(float(data['data']['totalCPU_used_%'].rstrip('%')))
21
                    metrics['timestamps'].append(data['timestamp'])
22
                elif data['rule']['id'] == '100106':
23
                    metrics['memory'].append(float(data['data']['memory_usage_%']))
24
            except:
25
                continue
26

27
    # Calculate correlation
28
    if len(metrics['cpu']) > 0 and len(metrics['memory']) > 0:
29
        from scipy.stats import pearsonr
30
        correlation, p_value = pearsonr(metrics['cpu'], metrics['memory'])
31
        print(f"CPU-Memory Correlation: {correlation:.2f} (p-value: {p_value:.4f})")

Trend Analysis#

1
-- Query for resource usage trends
2
SELECT
3
  date_trunc('hour', timestamp) as hour,
4
  AVG(CAST(data.cpu_usage_% AS FLOAT)) as avg_cpu,
5
  AVG(CAST(data.memory_usage_% AS FLOAT)) as avg_memory,
6
  AVG(CAST(data.disk_usage_% AS FLOAT)) as avg_disk
7
FROM
8
  wazuh-alerts-*
9
WHERE
10
  rule.id IN ('100101', '100102', '100103')
11
  AND timestamp > NOW() - INTERVAL '7 days'
12
GROUP BY
13
  hour
14
ORDER BY
15
  hour DESC;

Use Cases#

1. Application Performance Monitoring#

1
<!-- Monitor specific application resource usage -->
2
<localfile>
3
  <log_format>full_command</log_format>
4
  <command>ps aux | grep -i "Visual Studio Code" | awk '{print $3,$4}' | head -1</command>
5
  <alias>vscode_resources</alias>
6
  <out_format>$(timestamp) $(hostname) vscode_usage: CPU=$(log)</out_format>
7
  <frequency>60</frequency>
8
</localfile>
9

10
<rule id="100115" level="7">
11
  <decoded_as>vscode_resources</decoded_as>
12
  <regex>CPU=([5-9]\d|[1-9]\d{2,})</regex>
13
  <description>VS Code high CPU usage detected</description>
14
</rule>

2. Development Environment Monitoring#

1
#!/bin/bash
2
# Monitor development tools resource usage
3

4
TOOLS=("node" "python" "java" "docker" "postgres")
5

6
for tool in "${TOOLS[@]}"; do
7
    CPU=$(ps aux | grep -i "$tool" | awk '{sum+=$3} END {print sum}')
8
    MEM=$(ps aux | grep -i "$tool" | awk '{sum+=$4} END {print sum}')
9
    echo "$(date) - $tool: CPU=$CPU%, MEM=$MEM%"
10
done

3. Security Monitoring#

1
<!-- Detect crypto mining activity -->
2
<rule id="100116" level="14">
3
  <decoded_as>CPU_health</decoded_as>
4
  <field type="pcre2" name="cpu_usage_%">^(0*9[5-9]|0*100)</field>
5
  <time>1:00 am - 5:00 am</time>
6
  <description>Possible crypto mining: Sustained high CPU at night</description>
7
  <options>alert_by_email</options>
8
</rule>
9

10
<!-- Detect memory-based attacks -->
11
<rule id="100117" level="12" frequency="5" timeframe="300">
12
  <if_sid>100106</if_sid>
13
  <regex>memory_used_bytes.*[5-9]\d{9}</regex>
14
  <description>Rapid memory consumption - possible memory exhaustion attack</description>
15
</rule>

Conclusion#

Monitoring macOS resources with Wazuh provides organizations with comprehensive visibility into endpoint performance and potential security issues. By implementing the configurations and best practices outlined in this guide, you can:

✅ Proactively identify performance bottlenecks before they impact users
📊 Track resource trends to optimize capacity planning
🚨 Detect anomalies that may indicate security threats
📈 Maintain compliance with performance monitoring requirements
🛡️ Enhance security posture through resource-based threat detection

The flexibility of Wazuh’s command monitoring and alerting capabilities enables customized monitoring solutions tailored to your specific macOS environment needs.

Key Takeaways#

Start with Baselines: Establish normal resource usage patterns before setting thresholds
Tune Alert Levels: Adjust thresholds based on your environment’s specific needs
Monitor Holistically: Correlate multiple metrics for better insights
Automate Responses: Implement remediation scripts for common issues
Regular Review: Periodically review and adjust monitoring configurations

Resources#

Monitor your macOS fleet effectively with Wazuh. Detect, analyze, optimize! 🍎📊