<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.cmdsec.cmdreporter</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>AuditEventExcludedProcesses</key>
<array>
<string>/usr/sbin/mDNSResponder</string>
<string>/usr/sbin/syslogd</string>
<string>/Applications/splunk/bin/splunk-optimize</string>
</array>
<key>AuditEventExcludedUsers</key>
<array>
<string>_spotlight</string>
<string>_windowserver</string>
</array>
<key>AuditEventLogVerboseMessages</key>
<false/>
<key>AuditLevel</key>
<integer>1</integer>
<key>FileEventExclusionPaths</key>
<array>
<string>/Applications/splunk.*</string>
</array>
<key>FileEventInclusionPaths</key>
<array>
<string>/usr/lib/pam/.*</string>
<string>/Library/Launch.*</string>
<string>/Library/StartupItems/.*</string>
<string>/Library/Extensions/.*</string>
<string>/Library/Preferences/.*</string>
<string>/Library/PrivilegedHelperTools/.*</string>
<string>/private/etc/.*</string>
</array>
<key>LicenseEmail</key>
<string>license.email@company.com</string>
<key>LicenseExpirationDate</key>
<string>02/01/2020</string>
<key>LicenseKey</key>
<string>35c...</string>
<key>LicenseType</key>
<string>Trial</string>
<key>LicenseVersion</key>
<string>1</string>
<key>LogFileMaxNumberBackups</key>
<integer>10</integer>
<key>LogFileMaxSizeMegaBytes</key>
<string>50</string>
<key>LogFileOwnership</key>
<string>root:wheel</string>
<key>LogFilePermission</key>
<string>644</string>
<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointREST</key>
<dict>
<key>PublicKeyHash</key>
<string>7E1DDE57-CEA3-4872-A477-CD2D6B640AFB</string>
</dict>
<key>LogRemoteEndpointType</key>
<string>Splunk</string>
<key>LogRemoteEndpointURL</key>
<string>https://splunk.company.com:8088/services/collector/raw</string>
<key>UnifiedLogPredicates</key>
<array>
<string>(subsystem == "com.apple.AccountPolicy")</string>
</array>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Custom</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadOrganization</key>
<string>cmdSecurity inc</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Splunk HEC cmdReporter Preferences</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadOrganization</key>
<string>cmdSecurity inc</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
cmdReporter Wiki