Reading ASL store with syslog further back than the default TTL of 2 days

Question

Level 1

25 points

Reading ASL store with syslog further back than the default TTL of 2 days

I have been unable to change the time-to-live value for storage of logs in /var/log/asl/. I am accessing the logs with *syslog | grep backupd* and the entries only go back 2 days. If I use *syslog | grep kernel* for example the entries do go back much further than 2 days. I realize that the backupd entries are <notice> level so they are being discarded once the TTL is up, while the kernel entries are being archived. I would like to find a way to either archive all entries for 7 days instead of 2, or even better archive all entries from a specific process or notification level.

*syslog -d "store" | grep backupd* gives the same result also.

I have tried the command *aslmanager -ttl 7* which I assumed would change the TTL to 7 days for all entries, but /var/log/asl/ continues to only contain entries for the current day plus the 2 previous days.

I have also tried to approach this problem by using syslog to read directly from the archive file, but I don't have an archive file on my system. The man page for aslmanager claims the archive directory is /var/log/asl.archive but that does not exist on my machine (10.5.8 PPC). The command *syslog -d "archive" | grep backupd* confirms this with the error: +/var/log/asl.archive: No such file or directory+, although *syslog | grep kernel* seems to be reading the archive without me even specifying it. I can even use *syslog | grep kernel | head -n 1* and I get an entry from Jan 2 of this year.

This is what is in my /var/log/asl

2009.10.10.U0.G80.asl
2009.10.10.U0.asl
2009.10.10.U501.asl
2009.10.10.U92.asl
2009.10.10.asl
2009.10.11.U501.asl
2009.10.11.asl
2009.10.12.U0.G80.asl
2009.10.12.U0.asl
2009.10.12.U501.asl
2009.10.12.U92.asl
2009.10.12.asl
LongTTL.U0.asl
LongTTL.asl
StoreData

I also have a file at /var/log/asl.db

I'd appreciate any insight on this!

G5 Dual 2.3, Mac OS X (10.5.8)

Posted on Oct 12, 2009 6:22 PM

Reply

Answer 1

cellist

Level 1

4 points

Nov 20, 2009 11:42 PM in response to ridogi

I have the answer to my asl full disk problem. This article gives a full professional account and solution to the problem!

http://reviews.cnet.com/8301-13727_7-10329979-263.html?tag=mfiredir

Reply

Answer 2

Jun T.

Level 4

2,185 points

Nov 22, 2009 6:53 AM in response to ridogi

I realize that the backupd entries are <notice> level so they are being discarded once the TTL is up, while the kernel entries are being archived.

I guess the level of the messages is not relevant here. It seems file system error messages from kernel have default ttl of about 1 year. See 'man syslogd' and search for -fs_ttl option.

I have tried the command aslmanager -ttl 7

Please try specifying the options for aslmanager in
/System/Library/LaunchDaemons/com.apple.aslmanager.plist

Reply

Answer 3

twtwtw

Level 5

4,936 points

Nov 22, 2009 9:42 AM in response to ridogi

did you try {color:blue}sudo aslmanager -a -ttl 7{color}?

Reply

Answer 4

ridogi Author

Level 1

25 points

Nov 23, 2009 1:26 PM in response to Jun T.

Thanks for the replies.

gondor123, I don't think that applies to my situation.

Jun T., the -fs_ttl option doesn't seem useful to me. I want the notice level messages to be retained longer. The kernel messages are already being retained longer than 2 days, which is what -fs_ttl is for.

I have modified the file /System/Library/LaunchDaemons/com.apple.aslmanager.plist by adding in the ttl and the 7 lines as seen below with a few lines of the surrounding file for context.

<array>
<string>/usr/sbin/aslmanager</string>
<string>-ttl</string>
<string>7</string>
<string>-size</string>
<string>65536000</string>
</array>

What happens after that edit is that the logs are saved for 7 days, but rebooting the computer causes the logs to be discarded as if it was still using the 2 day default. The com.apple.aslmanager.plist retains my -ttl setting after the reboot, but the log entries are discarded after 2 days. I have also tried to unload the com.apple.aslmanager.plist file with launchctl before making the change, and then load it again, but after a reboot any saved logs past the 2 day limit are still discarded.

twtwtw, I have tried sudo aslmanager -a -ttl 7 and sudo aslmanager -ttl 7 without effect.

Reply

Answer 5

twtwtw

Level 5

4,936 points

Nov 23, 2009 2:21 PM in response to ridogi

possibly you're using the wrong utility? what happens if you try using {color:blue}sudo syslog -c syslogd -n{color}, which (according to the syslog and syslogd man pages) should get logs of notice level or above stored?

Message was edited by: twtwtw

Reply

Answer 6

ridogi Author

Level 1

25 points

Nov 23, 2009 3:21 PM in response to twtwtw

That gave me this message:
Set ASL Data Store syslog filter mask: Emergency - Notice

Emergency to Notice is the default level as far as I know so I don't know what that would have done. However, after running that command I can no longer open Console.app. Any idea how I can reverse that? I've tried removing the preference file for Console, opening log files directly in Console and running the periodic maintenance script but Console.app is still crashing on launch.

Reply

Answer 7

twtwtw

Level 5

4,936 points

Nov 23, 2009 3:48 PM in response to ridogi

well that's weird: it obviously did something (even if it didn't do what was intended). I can't replicate the problem on my end (console.app opens fine) so it must be an interaction with one of the changes you made previously to aslmanager. try restoring the old aslmanager plist file and restarting the machine.

Reply

Answer 8

ridogi Author

Level 1

25 points

Nov 23, 2009 4:11 PM in response to twtwtw

I had already reverted the aslmanager.plist file, but I made that change a while back so I didn't think that would fix the console problem. I tested in a new user but Console.app wouldn't open there either. It says no log selected on the bottom left while beach balling for a few seconds before crashing.

I ran pacifist to reinstall Console from my 10.5 disk and that seems to have fixed it for the most part. "All Messages" and "Console Messages" are now blank, but all of the other logs are there, and it isn't crashing.

I also noticed that now when I run syslog the last line in it's entirety is:

Segmentation fault

New entries are going above that line, so I may try wiping out today's asl entries and see if things return to normal.

There are also a few lines like these:
Mon Nov 23 18:15:06 G5 com.apple.launchd[81] (\[0x0-0x28028\].com.apple.Console[253]) <Warning>: Exited abnormally: Segmentation fault

Nov 23 18:43:30 G5 com.apple.launchd[1] (com.apple.aslmanager[175]): Exited abnormally: Segmentation fault

As an aside, I'm running Leopard. Do you have Leopard or Snow Leopard?

Reply

Answer 9

twtwtw

Level 5

4,936 points

Nov 23, 2009 4:26 PM in response to ridogi

I'm running Leopard. did you restart the system?

Reply

Answer 10

ridogi Author

Level 1

25 points

Nov 23, 2009 4:57 PM in response to twtwtw

Yes, I've restarted.

Pulling today's entries out of /var/log/asl/ means I am seeing yesterday's entries, but it still ends with the line "Segmentation fault"

Do you know which file holds the settings for syslog that would be modified by running sudo syslog -c syslogd -n? I'm thinking perhaps I can roll back to an earlier version of that file.

I also ran this:
syslog -c 0

which gave the result:
Master filter mask: Off

I think sudo syslog -c syslogd -n is specifying the level of filters for the syslogd process only, right?

Reply

Answer 11

twtwtw

Level 5

4,936 points

Nov 23, 2009 5:09 PM in response to ridogi

well, it has no plist file that I can locate, so it may hold the settings in memory, without saving them to disk (or it may save them way down in the inaccessible root folders...). and yeah, all that command should do is set the logging level preferences for the daemon, which is why I was surprised it had any other effects.

Reply

Answer 12

Jun T.

Level 4

2,185 points

Nov 24, 2009 6:50 AM in response to ridogi

I want the notice level messages to be retained longer

The reason that the messages from backupd is discared is not that they are notice level. The default TTL is 2 days for most of the messages, *irrespective of the level of the message*. Exceptions are the following two types of messages which have default TTL of about 1 year; (1) messages used by the utmp, wtmp, and lastlog subsystems, and (2) filesystem error messages generated by the kernel. These messages are saved in LongTTL*asl. I guess the old messages from kernel you are seeing are of type (2) (you can view the contents of LongTTL.asl by 'syslog -f LontTTL.asl').

but rebooting the computer causes the logs to be discarded as if it was still using the 2 day default

Hmm, if this is the case, then maybe aslmanager is run not only by launchd (through the plist file) but also by some other processes (syslogd ?). aslmanager manpages says:

"aslmanager is started automatically at various times. It runs shortly after the syslogd server starts, at midnight (local time) if the system is running, and any time a file in the ASL data store directory (/var/log/asl) reaches a maximum size limit..."

syslogd is started at boot time so "shortly after the syslogd server starts" means (shortly after) boot time? Is your Mac running at midnight?
Anyway, in Leopard, I have no idea how to pass the options to aslmanager if it is not started by launchd. In Snow Leopard /etc/asl.conf can contain options for aslmanager, but this is not the case in Leopard.

Reply

Answer 13

ridogi Author

Level 1

25 points

Nov 24, 2009 6:49 PM in response to Jun T.

Well, I couldn't find out how to fix my Console.app problem so I reverted my OS to a backup and all is well on that front.

I think I figured out why aslmanager is clearing my logs early: I backed up the default aslmanager.plist in the LaunchDaemons directory, and while I thought I disabled that original file, I did not. So effectively I had two files active, one with a 2 day ttl and one with a 5 day ttl. I'll have to wait a few days to be sure that that was indeed the error but I think it was.

I do think aslmanager.plist on Leopard is run only by launchd. My Mac is on at midnight, but I guess at boot the entire LaunchDaemons directory gets a scan by launchd and my duplicate plist gets run at that point.

I'm curious to see what is in /etc/asl.conf file by default in SL as I'd like my script to run on 10.5 and 10.6. Do you know if editing aslmanager.plist in SL will work or are changes required to be in /etc/asl.conf?

Here is what is 10.5's /etc/asl.conf

Q [= Facility authpriv] access 0 80
Q [= Facility remoteauth] [N<= Level 2] access 0 80

Thanks for the help everyone.

Reply

Answer 14

Jun T.

Level 4

2,185 points

Nov 25, 2009 5:04 AM in response to ridogi

Default /etc/asl.conf in SL has lots of lines like


Q [op name value] action

but contains no options for aslmanager, although a user can add options for aslmanager in etc/asl.conf (according to the manpage; I have never tried this).

The default TTL is changed from 2day in Leopard to 7 days in SL; aslmanager keeps 1 week of logs without any options in SL.

Reply