Customize log message routing with syslog.conf

Mar 10, '04 09:50:00AM

Contributed by: Anonymous

While trying to figure out how to get my new custom ipfw setup to write log entries to the unused /var/log/ipfw.log file, I discovered some options for configuring the syslog.conf file that are neither documented in the Panther syslog.conf manpage nor mentioned in previous hints here. So thought I'd pass them along. These make it easy to route the log messages from most unix commands to any log file you choose.

These options are apparently inherited from FreeBSD. The section below is from the FreeBSD syslog.conf manpage. The options described seem to be supported in Panther, although they are not mentioned in the OS X version of the manpage.

Each block of lines is separated from the previous block by a program or hostname specification. A block will only log messages corresponding to the most recent program and hostname specifications given. Thus, with a block which selects `ppp' as the program, directly followed by a block that selects messages from the hostname `dialhost', the second block will only log messages from the ppp(8) program on dialhost.

A program specification is a line beginning with `#!prog' or `!prog' (the former is for compatibility with the previous syslogd, if one is sharing syslog.conf files, for example) and the following blocks will be associated with calls to syslog(3) from that specific program. A program specification for `foo' will also match any message logged by the kernel with the prefix `foo: '. The `#!+prog' or `!+prog' specification works just like the previous one, and the `#!-prog' or `!-prog' specification will match any message but the ones from that program. Multiple programs may be listed, separated by commas: `!prog1,prog2' matches messages from either program, while `!-prog1,prog2' matches all messages but those from `prog1' or `prog2'.

A hostname specification of the form `#+hostname' or `+hostname' means the following blocks will be applied to messages received from the specified hostname. Alternatively, the hostname specification `#-hostname' or `-hostname' causes the following blocks to be applied to messages from any host but the one specified. If the hostname is given as `@', the local hostname will be used. As for program specifications, multiple comma-seprarated values may be specified for hostname specifications.

A program or hostname specification may be reset by giving the program or hostname as `*'.

The use of progam blocks makes to possible to interecept the log messages from a particular process and direct them where you want. Read the rest of the hint for a modified /etc/syslog.conf with a few simple examples.

# Exclude log messages that you want to go elsewhere from appearing in
# the console.log and system.log files.
# Leave programs off list if you want entries in these files also.
!-ipfw,CRON,/usr/libexec/fix_prebinding

*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/console
*.notice;*.info;authpriv,remoteauth,ftp.none;kern.debug;mail.crit /var/log/system.log

# End program block
!*

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit     /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
authpriv.*;remoteauth.crit                          /var/log/secure.log

# Direct all ipfw log messages to ipfw.log
!ipfw
*.*                                                 /var/log/ipfw.log
!*

# Direct all CRON entries to a separate log; note case-sensitivity.
!CRON
*.*                                                 /var/log/cron.log
!*

# Tired of all those fix_prebinding messages in your desktop MkConsole or
# GeekTools system log view? Redirect them to their own log file, where
# you can view them when you want instead of constantly!
!/usr/libexec/fix_prebinding
*.*                                                 /var/log/prebind.log
!*


lpr.info                                            /var/log/lpr.log
mail.*                                              /var/log/mail.log
ftp.*                                               /var/log/ftp.log
netinfo.err                                         /var/log/netinfo.log
install.*                                           /var/log/install.log
install.*                                           @127.0.0.1:32376

*.emerg                                             *

Note that if you are logging to custom files, as in the CRON and fix_prebinding examples, you must manually create the files in /var/log (or wherever) before they can be used. If you're putting your custom logs in /var/log, you may also want to tweak your /etc/periodic/weekly/500.weekly file to rotate the log files.

Comments (6)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20040301223642276