Skip to main content

Install the Praxis collector on macOS

Use praxis-collector on a Mac for developer workstations, small office deployments, or edge hosts where Linux and Kubernetes are not the right fit. The collector uses OpAMP to Praxis the same way as on other platforms; you still define the pipeline in the Praxis management plane.

Before you begin

  • Prerequisites — The same OpAMP base URL, OAuth2 client credentials, org, tenant, and pipeline identifiers you use for other platforms, shown in Praxis when you create or enroll a macOS collector.
  • Permissions — Some sources (for example reading protected paths) may need Full Disk Access or Privacy approvals in System Settings on macOS. Plan those prompts before go-live.
  • Architecture — Use the package Praxis or your team provides for your Mac (Apple Silicon arm64 vs Intel amd64).

Install (script pattern)

Praxis may show a one-line install that downloads a macOS install script and passes the same OpAMP and credential flags as on Linux. Example shape (placeholders only):

sudo bash -c '$(curl -k -L https://<artifact-host>/path/macos_install.sh)' -- \
  --url wss://<praxis-host>/v1/opamp \
  --secret <oauth2-client-secret> \
  --key <oauth2-client-key> \
  --org <org-id> \
  --tenant <tenant-id> \
  --pipeline <pipeline-id>

If your policy forbids unverified curl downloads, fetch the script with a vetted process, inspect it, then run it with bash (see the Kubernetes install note for the same pattern).

Service and restarts

The package typically registers a LaunchDaemon (or similar) so the collector starts at login/boot and restarts on failure. Use Console or log to review collector and OpAMP messages when troubleshooting.

Behind an HTTP/HTTPS Proxy

If the host's egress to Praxis or to your destinations must traverse a corporate proxy, configure the collector with the standard Go HTTP proxy environment variables — HTTPS_PROXY, HTTP_PROXY, and NO_PROXY. There is no proxy flag in the install script; set the env on the LaunchDaemon plist so the values apply on every restart.

Edit the LaunchDaemon plist (path varies by build — typically /Library/LaunchDaemons/com.netenrich.praxis-collector.plist) and add an EnvironmentVariables dict:

<key>EnvironmentVariables</key>
<dict>
  <key>HTTPS_PROXY</key>
  <string>http://proxy.corp.local:3128</string>
  <key>HTTP_PROXY</key>
  <string>http://proxy.corp.local:3128</string>
  <key>NO_PROXY</key>
  <string>localhost,127.0.0.1,::1,.corp.local,169.254.169.254</string>
</dict>

Reload the daemon to pick up the new environment:

sudo launchctl unload /Library/LaunchDaemons/com.netenrich.praxis-collector.plist
sudo launchctl load   /Library/LaunchDaemons/com.netenrich.praxis-collector.plist

Verify in Console.app or via log stream --predicate 'process == "praxis-collector"' that the OpAMP session reconnects.

NO_PROXY checklist

Always include localhost, 127.0.0.1, ::1, and the internal hostnames/CIDRs of any LAN log sources the collector connects to.

Auth-required proxies

Use HTTPS_PROXY=http://user:[email protected]:3128. URL-encode any special characters in the password.

TLS-inspecting (MITM) proxies

Add the corporate root CA to the System keychain and mark it trusted for SSL so outbound TLS handshakes validate:

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain corp-root-ca.crt
sudo launchctl kickstart -k system/com.netenrich.praxis-collector
note

All outbound paths honor the standard proxy env vars, including the OpAMP WebSocket (collector ↔ Praxis), the OAuth2 token endpoint, the Google SecOps HTTP and gRPC exporters, Splunk HEC, Snowflake, M365, the GitHub receiver, and other confighttp-based exporters.

The Google SecOps gRPC path uses gRPC-Go's built-in CONNECT tunneling, which inspects HTTPS_PROXY / https_proxy only — never HTTP_PROXY. Always set HTTPS_PROXY when proxying Chronicle gRPC traffic, even if you also set HTTP_PROXY for HTTP-based exporters.

Uninstall

Follow the uninstall command or script in Praxis or in your runbook (for example a macos_uninstall.sh style script). Remove the launch entry so no stale processes remain.