Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: mike-d157
mike-d157 Author
User level: Level 1
0 points

syslogd support

There are a number of blogs and such explaining how to enable syslogd under Mac OS X to accept syslog messsages sent from remote devices. Some of the older information presented indicates this technology came from FreeBSD:


http://hints.macworld.com/article.php?story=20040301223642276


http://macosx.com/forums/howto-faqs/47791-howto-syslog-remote-events-etc.html


I understand the need to modify /System/Library/LaunchDaemons/com.apple.syslogd.plist and how, e.g...


http://meinit.nl/enable-apple-mac-os-x-machine-syslog-server


...so let's take that as a given.


My questions are as follows:


1) Did syslogd/syslog.conf under Mac OS X ever actually support the program/hostname block concept mentioned in the first couple of links (particularly the first one)? These features aren't documented as far as Apple is concerned, but that doesn't necessarily mean they don't work, esp. if the Apple code was really derived from FreeBSD.


2) If syslog.conf program/hostname blocks ever worked, was there an OS X release with which they stopped working, and if so, what was that release?


3) Assuming a hostname block is available, from the (FreeBSD) documentation available, it appears one could specify the following at the beginning of syslog.conf:


#+ipaddr1

*.* /var/log/remote/remsys1.log

#+*


#+ipaddr2

*.* /var/log/remote/remsys2.log

#+*


#...rest of supplied syslog.conf...


Conceptually, the desired behavior is to log all messages from ipaddr1 and ipaddr2 exclusively to /var/log/remote/remsys1.log and /var/log/remote/remsys2.log, respectively. Is this the correct syntax and will it result in the desired behavior?


I've seen references that a ported syslog-ng would provide for this functionality, but if I happen to have access to a system where it's available natively, that would be preferred.


Thanks,

Mike

Posted on Mar 22, 2014 12:10 PM

Reply
2 replies
User profile for user: etresoft
etresoft
User level: Level 8
46,092 points

Mar 22, 2014 5:35 PM in response to mike-d157


mike-d157 wrote:


1) Did syslogd/syslog.conf under Mac OS X ever actually support the program/hostname block concept mentioned in the first couple of links (particularly the first one)? These features aren't documented as far as Apple is concerned, but that doesn't necessarily mean they don't work, esp. if the Apple code was really derived from FreeBSD.



The BSD pedigree of OS X is poorly understood. I can't comment on any random, decade-old blog posts.


2) If syslog.conf program/hostname blocks ever worked, was there an OS X release with which they stopped working, and if so, what was that release?

How would someone know that? OS X is a consumer operating system. There is virtually no one that has ever turned on remote logging. I'm pretty sure there is no one who has had it turned on with each and every OS version.




3) Assuming a hostname block is available, from the (FreeBSD) documentation available, it appears one could specify the following at the beginning of syslog.conf:


#+ipaddr1

*.* /var/log/remote/remsys1.log

#+*


#+ipaddr2

*.* /var/log/remote/remsys2.log

#+*


#...rest of supplied syslog.conf...



OS X is not FreeBSD. It has some similarities and a bit of shared lineage, but the only BSD features that work identically in OS X are only those that haven't been changed in OS X.


Conceptually, the desired behavior is to log all messages from ipaddr1 and ipaddr2 exclusively to /var/log/remote/remsys1.log and /var/log/remote/remsys2.log, respectively. Is this the correct syntax and will it result in the desired behavior?

No and no.


What you want to do is this:


Add the following lines to /System/Library/LaunchDaemons/com.apple.syslogd.plist under the "Sockets" dict.

<key>NetworkListener</key>

<dict>

<key>SockServiceName</key>

<string>syslog</string>

<key>SockType</key>

<string>dgram</string>

</dict>

This file is binary so you will have to open it in a tool like TextWrangler that can understand it. Save the old file in case you screw it up. When you recreate the file you can just copy all of the text from TextWrangler and save it as a text plist. If you are going to be hacking around on this file you probably want it to be text anyway.


Then add the following to be beginning of /etc/asl.log

? [A= Host remsys1] file /var/log/remsys1.log file_max=5M all_max=50M

? [A= Host remsys1] ignore

Add these same two lines for each remote system. The "Host" key seems to be poorly documented. It is in the source but not the man page. The "A" stands for prefix match. I don't know if this would work for IP address too. You may need to manually create /var/log/remsys1.log at first.


Reload syslogd with launchctl to get the server running.


On the client side, the old docs still seem to be correct. Just add:

*.* @server


to /etc/syslog.conf

Reply

syslogd support

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up