Remote syslog no longer possible due to SIP

I've just set up syslog-ng to send smb file access logs from OS X 10.6.8 servers. The homebrew distro is more current (3.2.5) than the one from macports (3.0.8) so I went with that one. If you have trouble finding it try this:

brew tap homebrew/boneyard

brew install syslog-ng

Once I configured syslog-ng it worked as expected and all new log.smbd entries are being sent to my log server. This was the very straightforward configuration:

#############################################################################
# syslog-ng.conf file to collect log.smbd messages and ship them
# to our Security Onion server
#
# 22 Feb 2017
#   

@version: 3.2
@include "scl.conf"

source s_mac_smb {
        file("/var/log/samba/log.smbd" follow-freq(1));
};

destination d_syslog_tcp {
        syslog("the.logserver.net" transport("tcp") port(514));
};

log {
        source(s_mac_smb);
        destination(d_syslog_tcp);
};

What was not straightforward was getting it running as a LaunchDaemon. What should have been a quick and painless setup ended up taking up the good part of a day. I thought everything was fine: syslog-ng would launch when running launchctl load /Library/LaunchDaemons/org.balabit.syslog-ng.plist as expected. The trouble: launchd kept re-spawning new instances every 10 seconds and I would end up with dozens of syslog-ng processes running in the background. Here is the config I started with:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
        <dict>
                <key>Label</key>
                <string>org.balabit.syslog-ng</string>
                <key>Program</key>
                <string>/usr/local/sbin/syslog-ng</string>
                <key>RunAtLoad</key>
                <true/>
                <key>KeepAlive</key>
                <true/>
        </dict>
</plist>

Not good. After spending hours doing research, experimenting and pounding my head on the desk, I finally discovered the culprit...and, "Surprise!", it wasn't launchd causing the problem!

It seems to be related to syslog-ng's ability, on linux systems at least, to stay running without relying on a built-in system process (like init.d or systemd) . Here's what the syslog-ng man page has to say about it:

--process-mode <pidfile>

Sets how to run syslog-ng: in the foreground (mainly used for debugging), in the background as a daemon, or in safe-background

mode. By default, syslog-ng runs in safe-background mode.

This mode creates a supervisor process called supervising syslog-ng , that restarts syslog-ng if it crashes.

When run in background mode, this supervising process does not spawn on Mac OS X. When running it from terminal, ps aux | grep syslog-ng shows only a single syslog-ng process running and it does not re-spawn after being killed off. My theory: running it as a launchd process AND in background mode confuses syslog-ng's built in keep-alive routines. So with that in mind, I edited my .plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
        <dict>
                <key>Label</key>
                <string>org.balabit.syslog-ng</string>
                <key>ProgramArguments</key>
                <array>
                        <string>/usr/local/sbin/syslog-ng</string>
                        <string>--process-mode</string>
                        <string>foreground</string>
                </array>
                <key>RunAtLoad</key>
                <true/>
                <key>KeepAlive</key>
                <true/>
        </dict>
</plist>

Success! Telling launchd to run it in foreground mode, defying conventional logic, is what fixes the problem. It figures.

Here is hoping this spares someone the hours of frustration it caused me.

HI DJDawson, many thanks for posting the details / work instruction for using syslog-ng via macports.

Your syslog-ng.conf example was most helpful.

Similarly to yourself, we have successfully now been able to implement a remote syslog logger from a Zyxel USG60 gateway router one of our Mac mini servers at  OSX 10.11.6.

We have used an unusual port such as yourself (i.e. port 64514 )

In addition what's also helpful is:

1. Check the syntax of the .conf file via the command prior to starting te daemon:

   syslog-ng -s to check the syntax of the .conf file.. handy

2. use sudo launchctl load -w /Library/LaunchDaemons/org.macports.syslog-ng.plist and sudo launchctl unload -w /Library/LaunchDaemons/org.macports.syslog-ng.plist to start and stop syslog-ng daemon.process whist you test .

warwick

Hong Kong

You can modify protected files while booted from another system. The modifications will be preserved when you boot from the modified system.

I ran into the same issue, but I've worked around it by installing the syslog-ng package via MacPorts and configuring it to listen on a non-standard UDP port so it doesn't conflict with the Mac OS X syslogd. Then I configured the various devices that log to my Mac to use that different port and it seems to be working OK. It's more complicated, but at least it seems to work, and I'm still able to use "newsyslog.conf" to handle to logfile rotation as well.

Can you share the details of how you configured syslog-ng?

Think brings to mind another question someone posted which Apple have made painful to deal with. As such I will first post my answer to that here 🙂

Now moving on to a more useful answer, I would suggest that for basic functionality like syslog that Apple make difficult to use directly in OS X that the simplest solution is to create and use a Linux virtual machine.

My goal was to have my Mac receive syslog messages from a Cisco ASA5506 firewall configured as a VPN server and also running the new FirePOWER IPS features. I wanted most of the messages from the ASA to be sent to one file, a subset of those messages to be sent to a second file but not to the first, and all the messages from the FirePOWER module in the ASA to be sent to a third file (that FirePOWER module is managed via a different IP address, so it looks like a different device as far as logging is concerned).

Here's how I set things up to meet that goal:

Step 1. Install syslog-ng. I used the MacPorts utility ("macports.org"), which is very simple. The alternative "Homebrew" utility doesn't seem to include syslog-ng as an available package so that doesn't appear to be an option. You could also build syslog-ng from scratch from the sources at Balabit.com and get the latest version, but that's quite a bit more work. Since I'm just using basic syslog features the old version available via MacPorts is fine.

The MacPorts installer also shows you the commands necessary to install appropriate "LaunchDaemon" files so syslog-ng will start at boot time, which is an added convenience. It doesn't touch the "/System" folder, so the new security features in El Capitan that block access to that folder aren't a problem.

Step 2. Create a "syslog-ng.conf" file to implement the desired logging functionality. I started by downloading an old version of the syslog-ng Admin Guide, since MacPorts installs version 3.0.8 instead of the current 3.7. A Google search for "syslog-ng 3.0 Administrator Guide" turns up a link to the PDF version of that guide from "my.balabit.com". Based on this reference, I generated the configuration file below.

Step 3. Modify the "/etc/newsyslog.conf" file so it will rotate the log files so they don't grow without bound. The important parameter to include is the PID file for syslog-ng, since the newsyslog process needs to know which process to send a HUP signal to so it'll know the destination files have been rotated. If you don't do this logging will stop the next time newsyslog rotates the files. Here's what one of my new entries in "newsyslog.conf" looks like:

/Users/me/Logs/FirePOWER.log 640 20 1000 * J /opt/local/var/syslog-ng.pid

This line is just a copy of the other lines already in that config file, but I changed the number of files to keep to 20 and I added the path to the syslog-ng PID file to the end. You'll want a similar line for each of the log files syslog-ng is writing to.

Step 4. Modify the syslog configs on the ASA and the FirePOWER module to use the new destination UDP port for log messages. The default is 514, but since the existing Mac OS X syslog uses that port, I chose to use 10514 instead.

Step 5. Once I had all the various pieces in place I chose to just restart my Mac, though you could also just kick the appropriate processes manually to force them to restart with the new configs. Since I also wanted to verify that syslog-ng would continue to work after a reboot I had to do a restart anyway.

Below is the "syslog-ng" config file I ended up with (it goes in "/opt/local/etc", since MacPorts puts everything it does somewhere in "/opt" to keep it out of the way of Mac OS X stuff). The "options" section does what it sounds like, and I just went through the Admin Guide Reference for the Global Options and chose values that seemed reasonable. The "Sources" section is where the non-standard UDP port is specified, and it also includes an internal source for handling log messages from syslog-ng itself. I haven't found these to be particularly useful, however, so it could probably safely be left out. The "Destination" section specifies the individual log files you'll send individual syslog messages to, and I chose to put them in a subdirectory of my account. Normally log messages go in "/var/log", but I thought it might be good to keep my logs completely separate from other system logs. The "Filters" section is where the message processing happens and supports quite a wide range of features. You'll want to keep the Admin Guide nearby if you decide to get at all fancy with this. I'm matching the messages based on either the hostname or IP address of the device sending the the syslog message, and for some of the logs I'm explicitly including or excluding individual messages based on text that appears in the syslog message body (this is a Regular Expression match, by the way, so it's quite flexible and powerful). The final "Log Paths" section is where you associate Sources, Filters, and Destinations to actually send the incoming syslog messages to the desired destination files. Finally, I chose to take advantage of the flexible nature of the config file syntax to format my config in a way that I find easier to follow. Most of the other sample syslog-ng config files I've seen online tend to run the various fields together onto single lines. It makes for a shorter looking file, but I find it easy to miss important details that way.

@version:3.0

options {

flush_lines(0);

normalize_hostnames(yes);

owner("root");

group("admin");

perm(0640);

use_dns(no);

dns_cache_hosts(/etc/hosts);

stats_freq(3600);

};

#########################################################

# Sources

#

source S_LOCAL {

internal();

};

source SYSLOG_UDP {

udp(port(10514));

};

#########################################################

# Destination Log Files

#

destination D_SYSLOG-NG {

file("/Users/me/Logs/syslog-ng.log");

};

destination D_VPN {

file("/Users/me/Logs/vpn.log");

};

destination D_VPN_FLOWS {

file("/Users/me/Logs/flows_vpn.log");

};

destination D_FIREPOWER {

file("/Users/me/Logs/FirePOWER.log");

};

#########################################################

# Source Filters

#

filter F_VPN {

( host("asa5506") or netmask(172.31.254.6/32) )

and not message("%ASA-6-3020");

};

filter F_VPN_FLOWS {

( host("asa5506") or netmask(172.31.254.6/32) )

and message("%ASA-6-3020")

and not message("UDP.*/53 duration")

and not message("duration 0:00:00 bytes 0");

};

filter F_FIREPOWER {

host("FirePOWER") or netmask(172.31.254.66/32);

};

#########################################################

# Log Paths - this is where the actual logging happens!

#

log {

source(S_LOCAL);

destination(D_SYSLOG-NG);

};

log {

source(SYSLOG_UDP);

filter(F_VPN);

destination(D_VPN);

};

log {

source(SYSLOG_UDP);

filter(F_VPN_FLOWS);

destination(D_VPN_FLOWS);

};

log {

source(SYSLOG_UDP);

filter(F_FIREPOWER);

destination(D_FIREPOWER);

};

Thanks for the detailed post dj! I... back up and running w/ a syslog on el cap. Just miss having it in the console but nothing tail can't solve.

FYI: macports took about 10 or 15 minutes to install everything, (maybe because I haven't used macports since snow leopard / lion days...)

You can still open your private log files with Console just fine, and as long as you don't close the individual log window when you quite the Console app those windows will re-open, which is what I always do.

Hmm, my ~/Logs folder is not visible in Console. How do you add new folders? Only the usual /var/logs or ~/Library/Logs etc... are visible. Should I just create a symlink to one of the visible directory?

It won't be visible in the list of log files on the left, but if you use the File --> Open menu in the Console app you can navigate to where your log file is and open it that way.

Ahh, don't know how I missed that File > Open... thanks!

@djdawson

is there any way to change user and group to another user/group with lower privileges?

Or to use chroot too?

If I changes the listen port of syslog-ng to 10514 could I run both syslog and syslog-ng?

Here's what one of my new entries in "newsyslog.conf" looks like:

/Users/me/Logs/FirePOWER.log 640 20 1000 * J /opt/local/var/syslog-ng.pid

This line is just a copy of the other lines already in that config file, but I changed the number of files to keep to 20 and I added the path to the syslog-ng PID file to the end. You'll want a similar line for each of the log files syslog-ng is writing to.

...............

@version:3.0

options {

flush_lines(0);

normalize_hostnames(yes);

owner("root");

group("admin");

perm(0640);

use_dns(no);

dns_cache_hosts(/etc/hosts);

stats_freq(3600);

};

#########################################################

# Sources

#

source S_LOCAL {

internal();

};

source SYSLOG_UDP {

udp(port(10514));

};

#########################################################

# Destination Log Files

#

destination D_SYSLOG-NG {

file("/Users/me/Logs/syslog-ng.log");

};

(1)

https://trac.macports.org/browser/trunk/dports/sysutils/syslog-ng/Portfile

I never bothered changing the owner and group options before, but those options exist for a reason so I just now tested it and my logging seems to still be working just fine. Note that this just changes the ownership of the log files, not the owner of the running syslog-ng process. The process ownership is a function of how you start the syslog-ng process. I'm using the "launchd" config files that the MacPorts installer created, and since I want syslog-ng to start at boot time rather then when I login the default "launchd" behavior results in such daemons running as "root". However, the man page for "launchd.plist" describes options for specifying both the userid/groupid of the running process as well as "chroot" options, so it should be simple to modify the .plist file provided by the MacPorts installer to add those options and get the behavior you want. I haven't tried this (my logging setup is in production, so I don't like to play with it too much), but I don't see why it would cause any problems as long as you switch to a non-reserved port, such as 10514.

Regarding the ports, I changed the default to use 10514 specifically so I could continue to run both syslog-ng and the default OS X syslogd at the same time and it's been working flawlessly, so you should have no trouble doing that.

I hope this helps!