Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A replacement for OS X's syslog utility UNIX
syslogd, OS X's logging daemon, is 'challenged' in a few ways:
  • its manpage is inconsistent with actual service options
  • udp only, no tcp listening
  • -a option does not work as advertised
  • haven't been able to get it working with tcp-wrappers
  • setting it up as a central logging server is, well, beyond me
So after reading here, there and everywhere I could find, I tracked down the excellent syslogd alternative, Syslog-NG. There's also a good reference FAQ available. After stumbling around a bit, I've got syslog-ng running as a complete replacement for syslogd, happily logging local and remote events from a number of remote servers via both udp & tdp. I'm not going back! As the web is a bit 'thin' on syslog-ng on OS X, I thought I'd share what I found for other enterprising souls here on MacOSXHints, and maybe get some good ideas back in the process...

[robg adds: This hint involves replacing a standard OS X component with a more powerful version. I have not tested the hint, and if you're going to do so, you should first make sure you've backed up any files you'll be editing...]

There are currently two braches of syslog-ng. The 1.6.4 branch is the one I used here, it's released as a stable branch and seems to be actively developed/suppported, and has fairly simple prereqs. The 1.9x branch is experimental, and looks like its based on glib (I didn't have the stomcah for the pain of it all). syslog-ng (1.6.4 branch) prereq is libol, by the same author. For reference, my relevant system config include:
> uname -srv
  Darwin 7.4.0 Darwin Kernel Version 7.4.0: Wed May 12 16:58:24 PDT 2004; root:xnu/xnu-517.7.7.obj~7/RELEASE_PPC 
> glibtool --version
  ltmain.sh (GNU libtool) 1.5.6 (1.1220.2.94 2004/04/10 16:27:27)
> autoconf --version
  autoconf (GNU Autoconf) 2.59
> automake --version
  automake (GNU automake) 1.8.5
I've also built a full BIND9 release, against which I link here. Historically, Apple's BIND release has been incomplete ... whether that is still true or not, I can't say. You may be able to link against the OSX/Panther install, but I'm not sure. Here we go...

First, install libol. Nice and straightforward. Download it (check for latest version), and then in the Terminal:
> gnutar zxf libol-0.3.13.tar.gz
> cd libol-0.3.13
> unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS \
   LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS
> glibtoolize --force --copy ;\
  aclocal ;\
  autoconf
> ./configure \
  --prefix=/usr/local
> make
> make install
Next, syslog-ng itself. Note: I'm building to enable tcp-wrapper, so we can easily limit who gets to 'talk' to us. Download the latest version (frequent snapshots ... grab the latest), then in the Terminal:
> gnutar zxvf syslog-ng-1.6.4+20040707.tar.gz
> mv syslog-ng-1.6.4+20040707 syslog-ng
> cd syslog-ng
> unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND \
  EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS ;\
  setenv LDFLAGS "-bind_at_load -L/usr/local/bind9/lib -llwres -lbind" ;\
  setenv CPPFLAGS "-I/usr/local/bind9/include"
> ./configure \
  --prefix=/usr/local \
  --enable-debug \
  --enable-tcp-wrapper
> make
> make install
And that's it for the build. Most important is the config file, required by the daemon. There are so many config options that I'll simply recommend RTFM and the examples, and provide a 'simple' config file example that should get you up and running as a drop-in replacement (or pretty close) for your current logging. Here's the replacement file; it belongs in /etc -> syslog-ng -> syslog-ng.conf. Finally a couple of things ... Make sure /etc/hosts.allow and /etc/hosts.deny are properly configured to allow the hosts you're interested in logging through to your logging server. Also, the 'traditional' startup for syslogd, in /System -> Library -> StartupItems -> SystemLog -> SystemLog, although still there, is no longer where syslogd is launched (look inside the file; it's an empty wrapper). In Panther, syslogd is launched in /etc/rc. Around line number 111, you'll find:
	/usr/sbin/syslogd -s -m 0 -u
Comment that out and add/replace with
	/usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslog-ng.pid
which will launch your syslog-ng daemon in its stead. Kill and launch, or reboot and watch your logs grow. Good luck, and enjoy!
    •    
  • Currently 1.75 / 5
  You rated: 3 / 5 (4 votes cast)
 
[27,362 views]  

A replacement for OS X's syslog utility | 7 comments | Create New Account
Click here to return to the 'A replacement for OS X's syslog utility' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A replacement for OS X's syslog utility
Authored by: thrig on Jul 20, '04 03:37:59PM

I have some notes on syslog-ng and the (many) limitations of the stock syslog daemon online:



[ Reply to This | # ]
A replacement for OS X's syslog utility
Authored by: blakers on Jul 20, '04 04:14:03PM

nicely written up! ... where were you when I _needed_ you? ;-)

just fyi, i find that log mgmt/maintenance is much simpler/straightforwared using "logrotate" (http://packages.debian.org/unstable/admin/logrotate).

question 4 you:

have you given any though to 'extracting'/sending syslogs from (single or multiple) chroot'd jails (e.g., BIND9 logging in a chroot) to a central/remote syslog-ng server?

richard



[ Reply to This | # ]
A replacement for OS X's syslog utility
Authored by: signal15 on Jul 21, '04 01:27:27AM

I've used this fairly extensively, it's very cool. The filtering it has to dump things into different files is great. One thing you need to be aware of though...

Some network devices are capable of logging via a TCP connection. Don't ever do this. With almost every Cisco device, if it can't connect to the syslog server while using tcp syslogging, it will eventually hang the device. PIX firewalls are notorious for this.

TCP syslogging is only really needed when you are doing high volumes of logs, like mail servers that send thousands of mails per second. Otherwise, UDP is fine, and safer.



[ Reply to This | # ]
A replacement for OS X's syslog utility
Authored by: blakers on Jul 21, '04 03:39:51AM

i use TC logging frequently, and without any probelms to date, to send/receive logs across disparate networks across the internet, consolidating them to one server.

great way to monitor lots of servers ... especially in combination with snmp.

i guess i don't see why you've expressed a concern ...

cheers,

richard



[ Reply to This | # ]
A replacement for OS X's syslog utility
Authored by: NetBSD on Nov 12, '04 04:30:47PM

Has anyone tried doing this on a Panther server, with the default install of BIND? I am not having any luck ... here are some system stats:
$ uname -srv
Darwin 7.3.1 Darwin Kernel Version 7.3.1: Mon Mar 22 21:48:41 PST 2004; root:xnu/xnu-517.4.12.obj~2/RELEASE_PPC

$ glibtool --version
ltmain.sh (GNU libtool) 1.5 (1.1220 2003/04/05 19:32:58)

Copyright (C) 2003 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ automake --version
automake (GNU automake) 1.6.3
Written by Tom Tromey <tromey@redhat.com>.

Copyright 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ autoconf --version
autoconf (GNU Autoconf) 2.57
Written by David J. MacKenzie and Akim Demaille.

Copyright 2002 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.





---
Microsoft is no the answer.
It is the question.
The answer is NO!



[ Reply to This | # ]
A replacement for OS X's syslog utility
Authored by: djdawson on Jul 04, '07 11:50:52AM

I know this is an old hint, but I'd thought I'd clarify on the issue with TCP syslogging to Cisco PIX devices. If a Cisco PIX firewall is configured to use TCP syslogging, it will stop forwarding all traffic if it can't connect to the configured syslog server. This is a security feature, the thinking being that if an attacker were trying to cover his tracks by taking down the syslog server, then the more secure behavior is to stop all traffic in case the PIX is in the path of the attacker's traffic. So, unless you know you have a very reliable syslog server, don't use the TCP syslog feature in a Cisco PIX firewall unless you're willing to accept this behavior.



[ Reply to This | # ]
A replacement for OS X's syslog utility
Authored by: kmschindler on Nov 13, '07 07:58:35AM

Some update about my first try on Tiger 10.4.10.
simply including BIND from Tiger seemed to work.

setenv LDFLAGS "-bind_at_load"

or

setenv LDFLAGS ""

did not make a noticable difference (I am no expert on ld (:-).

linking version 1.6.12 initially failed, because of unknown linker flags -a.

After adding --enable-full-dynamic, i.e.

./configure --enable-debug --enable-tcp-wrapper --enable-full-dynamic

building succeeded.

building 2.0.5 initially failed due to the pkg-config path.
After

setenv PKG_CONFIG_PATH '/usr/local/lib'

and

./configure --enable-debug --enable-tcp-wrapper

it build as well. Only simple checks (syslog-ng -h and syslog-ng -V) have been done with the resulting programs.

P.S. libol 0.3.18 and eventlog 0.2.5 were built and installed as usual (.configure; make; sudo make install)



[ Reply to This | # ]