From Splunk Wiki
A lot of operating systems offer the capability to capture audit information. Audit information contains file system audit records, but not only. There are many other audit records that can be captured on operating systems. The methods differ from operating system to operating system.
OS X Leopard
Apple provides a Mac OSX Security Configuration document that outlines how to enable auditing on OS X.
You have to first download a tool for your OS X distribution from here: http://www.apple.com/support/security/commoncriteria. Then follow the documentation on page 202. You basically edit /etc/hostconfig and put
in it. Restart the computer and you will get audit records written in /var/log/audit. The files are in binary form. You have to use praudit to read the audit logs.
A sample entry looks like this:
header,50,1,audit startup,0,Wed Sep 17 22:42:15 2008, + 961 msec text,auditd::Audit startup trailer,50
It's multi-line and the timestamp is not the start of the message, so make sure the events are going to break right in Splunk. Use a scripted input that calls a script to execute the praudit command in order to load the data into Splunk. Check the Splunk for UNIX application to see how it is done there for Linux auditd logs.
On Windows, you have to enable object audit. This is where an example of how to setup auditing for the Windows file system can be found.