Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Enable remote system event logging System
I have been trying to figure out for some time how to do remote logging. This morning I finally got it to work and figured I would share the fruits of my labor.

First off, what is remote logging? Well if you look at your /etc/syslog.conf file you can see that certain events are being logged to /var/log/system.log. You can get more info on what the items in syslog.conf mean by looking at man syslog.conf. Remote logging is sending those events to another machine so that if you are cracked, the cracker can not erase his/her steps because they would have to crack the remote machine as well.

Read the rest of the article for the how-to...

First you will need to setup the remote box so that it will accept remote logs being sent to it. You do that by modifying the /System/Library/StartupItems/SystemLog file. Change the line that says syslogd to say syslogd -u. You will then need to restart your Mac, or you can kill and relaunch syslogd with the -u switch.

Also you will need to make sure that your firewall (you are running a firewall on this logging server aren't you?) has port 514 open to receive UDP connections from your clients. It is probably best to set it to only accept connections from your local machines and not from 'any' since 'any' would open you up so attackers could remotely fill your logs.

Second, on the client you will need to add a line to the syslog.conf file. What I did was duplicate the line that was logging to /var/log/system.log and changed it to:
*.notice;*.info;authpriv,remoteauth,ftp.none;kern.debug;mail.crit       @remote.logger.domain
The '@' tells syslogd to send the event to another computer instead of to a file. Now whenever your machine logs an event it will also send that event to a remote machine which will log it as well. You can also have your Linux, Sun, AIX, and any other unix boxes send their logs to your secure Mac OS X logger.

[Editor's note: I have not tested this locally, but this sounds like a great idea if you'd like to make sure you have log files in the event of a hack...]
    •    
  • Currently 1.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[26,502 views]  

Enable remote system event logging | 3 comments | Create New Account
Click here to return to the 'Enable remote system event logging' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
remote logging disonnects- HELP
Authored by: bmcgill on Dec 30, '02 09:46:51AM

Remote logging seems to work ok except for one BIG thing. When the syslog restarts nightly (to start a new log file) the connection on port 514 is lost. The only way I've found to resume logging to the remote computer is to restart the server. I've tried restarting the syslogd, just the remote computer, and both - no go. So, at this point, the only way I can keep the remote logging running daily is to reboot the server after every syslog restart. Not exactly efficient! Anyone have any ideas here?



[ Reply to This | # ]
remote logging disonnects- HELP
Authored by: PeterK on May 29, '05 09:48:34PM

Yeah, I also have exactly this problem.



[ Reply to This | # ]
remote logging disonnects- HELP
Authored by: PeterK on May 30, '05 05:02:25AM

In order to fix logging after periodic daily the following SEEMS to work. I cannot recommend this as a solution but it (almost) avoids the need to reboot:
Use the following commands:
launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Then go to the System Prefs > Sharing > Firewall > Advanced ... and uncheck and recheck Enalbe Firewall Logging.

The first two commands can be included in daily.local. But I would very much like to know how to do the second at the command line: is there an applescript to do this?



[ Reply to This | # ]