Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Customize log message routing with syslog.conf UNIX

While trying to figure out how to get my new custom ipfw setup to write log entries to the unused /var/log/ipfw.log file, I discovered some options for configuring the syslog.conf file that are neither documented in the Panther syslog.conf manpage nor mentioned in previous hints here. So thought I'd pass them along. These make it easy to route the log messages from most unix commands to any log file you choose.

These options are apparently inherited from FreeBSD. The section below is from the FreeBSD syslog.conf manpage. The options described seem to be supported in Panther, although they are not mentioned in the OS X version of the manpage.

Each block of lines is separated from the previous block by a program or hostname specification. A block will only log messages corresponding to the most recent program and hostname specifications given. Thus, with a block which selects `ppp' as the program, directly followed by a block that selects messages from the hostname `dialhost', the second block will only log messages from the ppp(8) program on dialhost.

A program specification is a line beginning with `#!prog' or `!prog' (the former is for compatibility with the previous syslogd, if one is sharing syslog.conf files, for example) and the following blocks will be associated with calls to syslog(3) from that specific program. A program specification for `foo' will also match any message logged by the kernel with the prefix `foo: '. The `#!+prog' or `!+prog' specification works just like the previous one, and the `#!-prog' or `!-prog' specification will match any message but the ones from that program. Multiple programs may be listed, separated by commas: `!prog1,prog2' matches messages from either program, while `!-prog1,prog2' matches all messages but those from `prog1' or `prog2'.

A hostname specification of the form `#+hostname' or `+hostname' means the following blocks will be applied to messages received from the specified hostname. Alternatively, the hostname specification `#-hostname' or `-hostname' causes the following blocks to be applied to messages from any host but the one specified. If the hostname is given as `@', the local hostname will be used. As for program specifications, multiple comma-seprarated values may be specified for hostname specifications.

A program or hostname specification may be reset by giving the program or hostname as `*'.

The use of progam blocks makes to possible to interecept the log messages from a particular process and direct them where you want. Read the rest of the hint for a modified /etc/syslog.conf with a few simple examples.

# Exclude log messages that you want to go elsewhere from appearing in
# the console.log and system.log files.
# Leave programs off list if you want entries in these files also.

*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/console
*.notice;*.info;authpriv,remoteauth,ftp.none;kern.debug;mail.crit /var/log/system.log

# End program block

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit     /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
authpriv.*;remoteauth.crit                          /var/log/secure.log

# Direct all ipfw log messages to ipfw.log
*.*                                                 /var/log/ipfw.log

# Direct all CRON entries to a separate log; note case-sensitivity.
*.*                                                 /var/log/cron.log

# Tired of all those fix_prebinding messages in your desktop MkConsole or
# GeekTools system log view? Redirect them to their own log file, where
# you can view them when you want instead of constantly!
*.*                                                 /var/log/prebind.log
!*                                            /var/log/lpr.log
mail.*                                              /var/log/mail.log
ftp.*                                               /var/log/ftp.log
netinfo.err                                         /var/log/netinfo.log
install.*                                           /var/log/install.log
install.*                                           @

*.emerg                                             *

Note that if you are logging to custom files, as in the CRON and fix_prebinding examples, you must manually create the files in /var/log (or wherever) before they can be used. If you're putting your custom logs in /var/log, you may also want to tweak your /etc/periodic/weekly/500.weekly file to rotate the log files.

  • Currently 2.40 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (5 votes cast)

Customize log message routing with syslog.conf | 6 comments | Create New Account
Click here to return to the 'Customize log message routing with syslog.conf' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Customize log message routing with syslog.conf
Authored by: 47ronin on Mar 10, '04 04:41:20PM

My IPFW hits are still in system.log and my ipfw.log is at 0. I even HUP'd syslogd. Any idea why?

[ Reply to This | # ]
Customize log message routing with syslog.conf
Authored by: jbc on Mar 10, '04 10:50:53PM

Adding the ipfw.log redirect worked for me first try. Except I think I rebooted the system after modifying syslog.conf. Don't know if this makes a difference.

Are you running 10.3.2? One thing I always wonder about these oddball things that Apple didn't document is whether they've been in OS X since 10.0 or whether they were silently added to some later revision. Found a reference to the syslog.conf block syntax on the Hints Forums in a post from 2002, but there's no mention of whether it actually worked or not.

[ Reply to This | # ]
syslog.conf doesn't solve everything!!!
Authored by: lennyb on Jan 06, '06 06:16:06PM

I don't wanna log in vain for your love. I was practically suicidal trying to stop this constant ipfw logging until I found the secret. Drop these lines in /etc/sysctl.conf for permanant changes after a reboot:

net.inet.tcp.log_in_vain: 1
net.inet.udp.log_in_vain: 1

you can make the constant logging stop RIGHT NOW interactively by typing (as root):

sysctl -w net.inet.tcp.log_in_vain=0
sysctl -w net.inet.udp.log_in_vain=0

open up your Apple and toggle these two values back and forth to see that I'm correct.

[ Reply to This | # ]
custom logfile rotation
Authored by: sjk on Mar 11, '04 04:17:58PM

I use a /etc/weekly.local script for custom logfile rotations, repair disk permissions, etc. because /etc/periodic/weekly/500.weekly runs it, as "tail -5 /etc/periodic/weekly/500.weekly" will confirm.

[ Reply to This | # ]
Customize log message routing with syslog.conf
Authored by: bluehz on Mar 12, '04 08:58:55AM

You might want to take a look at "logrotate" also for rotating and archiving all these custom logs. Your basic "daily" cron job is very specific about what it rotates and archives. I have been using logrotate on my Linux box for some time now with great success. I was unable to build the code manually, but I was able to build from Fink unstable sources:

fink install logrotate

Info on logrotate.

[ Reply to This | # ]
Customize log message routing with syslog.conf
Authored by: blakers on May 16, '04 06:36:20PM

logrotate seems simpler -- well to me, anyway -- than 'tweaking' the daily scripts, etc.

i've managed to successfully build/use logrotate from source on both OSX 10.2.8 & 10.3.3. the important prereqs are "gettext" & "popt" ... both of which also build easily.

logrotate's config file format of

log_name {

is very straightforward and allows you to specifiy, e.g. how often to rotate, whether to compress, how many logs to archive, rotates based on log size, etc.

i would've thought that osx allows for something as simple, but, if its there, it's eluded me so far!


[ Reply to This | # ]