Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Enable remote logging features UNIX

There's a great hint here about making a Mac a remote logging machine for other Macs, firewalls, or anything capable of sending its logs elsewhere. Well, under Panther, enough has changed that it needs to be done a little differently. Specifically, the /System -> Library -> StartupItems -> SystemLog file that is referred to in the former hint is now empty, so there is no line to edit and make the hinted changes.

Instead, do this:
Edit /etc/rc and change line 110 from:

/usr/sbin/syslogd -s -m 0<
to:

/usr/sbin/syslogd -u
The other stuff from the previous hint about editing /etc/syslog.conf is still valid. Read the rest of the hint for my syslog.conf file and a cron job to manage the generated logs.

Here is my syslog.conf file. My network engineer set our Pix firewall to send its data to my IP address as local4. I route that to a file called pix.log in my /var/log directory, and I have a cron job archive the file and clear it nightly.

***************
*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit                     /dev/console
*.notice;*.info;authpriv,remoteauth,ftp.none;kern.debug;mail.crit;local4.none   /var/log/system.log

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit                    /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
authpriv.*;remoteauth.crit         /var/log/secure.log

lpr.info                           /var/log/lpr.log
mail.*                             /var/log/mail.log
ftp.*                              /var/log/ftp.log
netinfo.err                        /var/log/netinfo.log
local4.*                           /var/log/pix.log

# *.emerg                          *
Oh, what the heck. Here is the nightly job that moves the file, renames it with the date, and creates a new empty log to capture incoming data...

#Script File to move the pix log
#First, moves the file and changes the name
#Then creates a new empty log
#Then restarts the syslogd daemon.
#Then changes the ownership and the group of the file

/bin/mv /var/log/pix.log /Users/lfinkelstein/pix\ logs/`/bin/date +%m%d%y`.txt
/usr/bin/touch /var/log/pix.log
/usr/bin/killall -HUP syslogd
/usr/sbin/chown lfinkelstein /Users/lfinkelstein/pix\ logs/`/bin/date +%m%d%y`.txt
/usr/bin/chgrp admin /Users/lfinkelstein/pix\ logs/`/bin/date +%m%d%y`.txt
    •    
  • Currently 2.00 / 5
  You rated: 1 / 5 (7 votes cast)
 
[14,449 views]  

10.3: Enable remote logging features | 10 comments | Create New Account
Click here to return to the '10.3: Enable remote logging features' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Enable remote logging features
Authored by: stetner on Nov 27, '03 06:14:23PM

I emailed this to another list
--------------------------
Yet another quick note on syslogd.

case 'u': /* only log specified priority */
UniquePriority++;
break;
and

static int UniquePriority = 0; /* Only log specified priority? */

(got to love that question mark at the end...)


So the 'u' is not insecure mode either any more. So now I use:

/usr/sbin/syslogd -m 15

For the record:

static void
usage(void)
{

fprintf(stderr, "%s\n%s\n%s\n%s\n",
"usage: syslogd [-46Acdknosuv] [-a allowed_peer]",
" [-b bind address] [-f config_file]",
" [-l log_socket] [-m mark_interval]",
" [-P pid_file] [-p log_socket]");
exit(1);
}
--------------------------
So, the '-s' flag turns on secure, if it is not there it is in insecure mode and the -u does some weird unique priority that I have not taken the time to figure out.

The current man page does NOT match what the source code is doing. I have filed a radar (bug) on this.



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: climberbry on Dec 03, '03 02:57:59PM

Anyone know what the purpose of that -s flag is? What are the consequences of just arbitrarily dropping it as suggested here? It is there by default and seems to be new to Panther.



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: stetner on Dec 05, '03 01:58:24AM

It is the 'security' flag.

With it syslog will only log messages from a local process.

Without it syslog will also log messages coming in on port 514 from a remote machine via UDP.

Allowing remote machines to log to you opens you up for an attack where someone logs a billion messages to your machine and fills your hard drive. A router/firewall can eliminate this risk if you have control of your local network and the people on it are not malicious.



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: climberbry on Dec 08, '03 09:20:56AM

Thanks! Wonder why it isn't in the man page for syslogd...



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: climberbry on Dec 08, '03 09:27:06AM

Sorry, missed your earlier reply about this...



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: ronaldo1 on Mar 05, '04 05:15:29PM

how does one enable the built in firewall to allow UDP traffic over 512?
the gui only allows TCP ports, and when you check with ipfw list it says the Syslog (512) entry i made is for TCP
?



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: MacDog on Apr 03, '04 09:46:40AM
I have read all the comments here, but I still can't get remote logging to work under 10.3.3. The installed syslogd seems to match the documentation found under FreeBSD Manual Page but using the -a option to allow for a remote IP adress to use syslog still dont work. I use Firewalk X 2 as a firewall, and I can observe the incoming packets beeing allowed. I've also used EtherReal to capture the actual packets and can observe that they have the right content. Do anyone know wherther there are some other obscure places or settings that needs to be set/changed?

[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: petercrocker on May 31, '04 05:34:57PM

Here's what I used in OS X 10.3.4:

/usr/sbin/syslogd -a 172.16.31.1/32:* -m 15

-a ip.addr/mask:src-port (the:* means allow any udp source port)
-s doesn't seem to allow any external syslogging, so leave it off
-m is just a marker. there will be a timestamp in your log every 15 min

optionally add -d to run it in debug mode and see what's working or busted.

-pete



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: petercrocker on May 31, '04 05:36:59PM

ere's what I used in OS X 10.3.4:

/usr/sbin/syslogd -a 172.16.31.1/32:* -m 15

-a ip.addr/mask:src-port (the:* means allow any udp source port)
-s doesn't seem to allow any external syslogging, so leave it off
-m is just a marker. there will be a timestamp in your log every 15 min

optionally add -d to run it in debug mode and see what's working or busted.

-pete



[ Reply to This | # ]
10.3: Enable remote logging features
Authored by: climberbry on Jun 09, '04 10:23:44AM

Keep in mind, if you made these edits to your /etc/rc file prior to 10.3.4, you'll need to do edit it again after the update to 10.3.4, as the rc file is replaced with this update.



[ Reply to This | # ]