Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Enable remote logging in 10.4 System 10.4
Tiger only hintFirst we had this hint on how to enable remote system event logging in whatever version of OS X was current in April '02. Then we had this hint to update it for Panther. Well, now we are into Tiger, and it's changed again.

I found this article on AFP548.com by Aaron Adams documenting the differences. So here are the updated instructions combining the past hint with what I learned from Aaron's article...

Here's what you need to do:
  1. Edit the /etc/syslog.conf file to include local4.none in the second line, and to redirect the output of local4.* to /var/log/whatever.log (replace whatever with a name of your choice). There's a sample syslog.conf file at end of this hint.

  2. Create the Saved Logs folder in the desired location. In my example, it's at the root of the Macintosh hard driv.

  3. Back up the daemon file to the desktop:
    sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist ~/Desktop/ 
    Here is the restore line, if you need it:
    sudo cp ~/Desktop/com.apple.syslogd.plist /System/Library/LaunchDaemons/
  4. Edit the plist using the nano Unix editor:
    sudo nano /System/Library/LaunchDaemons/com.apple.syslogd.plist
  5. Scroll down to this line...
    <string>/usr/sbin/syslogd</string>
    ...and add the following directly below it:
    <string>-u</string>
  6. Save and exit.

  7. Use the following two lines to stop and restart the daemon:
    sudo launchctl unload \
     /System/Library/LaunchDaemons/com.apple.syslogd.plist
    sudo launchctl load \
     /System/Library/LaunchDaemons/com.apple.syslogd.plist
  8. Create or edit the /etc/daily.local to rotate the logs and restart the service:
    sudo nano /etc/daily.local
    See sample daily.local at end of this document, and remember to modify the log storage location as desired.
SAMPLE /etc/syslog.conf

*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit		/dev/console
*.notice;*.info;authpriv,remoteauth,ftp.none;kern.debug;mail.crit;local4.none	/var/log/system.log

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit            /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
authpriv.*;remoteauth.crit				/var/log/secure.log

lpr.info						/var/log/lpr.log
mail.*							/var/log/mail.log
ftp.*							/var/log/ftp.log
netinfo.err						/var/log/netinfo.log
local4.*						/var/log/whatevernameyoulike.log

# *.emerg						*

SAMPLE /etc/daily.local -- Change yourusername to your own username to give you rights to the saved log files.

/bin/mv /var/log/whatevernameyoulike.log /Volumes/Macintosh\ HD/Saved\ Logs/`/bin/date +%m%d%y`.txt

launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

/usr/sbin/chown yourusername /Volumes/Macintosh\ HD/Saved\ Logs/`/bin/date +%m%d%y`.txt
/usr/bin/chgrp admin /Volumes/Macintosh\ HD/Saved\ Logs/`/bin/date +%m%d%y`.txt
    •    
  • Currently 3.20 / 5
  You rated: 2 / 5 (5 votes cast)
 
[37,129 views]  

10.4: Enable remote logging in 10.4 | 10 comments | Create New Account
Click here to return to the '10.4: Enable remote logging in 10.4' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Enable remote logging in 10.4
Authored by: sjk on Mar 31, '06 12:59:28PM

A bit of followup:

The local4 change to syslog.conf is an application/host-specific modification. It'll be ineffective unless something generates syslog messages for it (e.g. the firewall mentioned in the original hint you referred to).

You could run "Go to Folder..." [shift-command-G] from Finder, type /System/Library/LaunchDaemons to open that folder (or, "open ..." it from Terminal), then drag/drop com.apple.syslogd.plist to whichever writable location you want to save a backup copy. Saving it on the Desktop is probably not the best choice.

It's not necessary to type the full pathname for launchctl paths. Also, restarting the syslog daemon can be accomplished by sending it a SIGHUP (e.g. "killall -HUP syslogd).

Peter Borg's Lingon is a nice GUI for creating/controlling launchd config files.

Edited on Jan 13, '10 06:32:31AM by robg



[ Reply to This | # ]
10.4: Enable remote logging in 10.4
Authored by: turkpipouunu on May 11, '07 02:53:38AM
Hi,

Thks 4 the hint. It works fine to the extent that the machine is listening to the router and i can use the "tail -f /var/log/system.log" command to check it. However, nothing is written to the log file i specify. Here are the config files i use . Anything i am doing wrong ?

thks,

laurent

**********************************************************
*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console
*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit;local4.none /var/log/system.log

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
authpriv.*;remoteauth.crit /var/log/secure.log

lpr.info /var/log/lpr.log
mail.* /var/log/mail.log
ftp.* /var/log/ftp.log
netinfo.err /var/log/netinfo.log
install.* /var/log/install.log
install.* @127.0.0.1:32376
local0.* /var/log/ipfw.log
local4.* /var/log/remote.log


*.emerg *

**********************************************************


**********************************************************
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">;
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.syslogd</string>
<key>ServiceDescription</key>
<string>Apple System Log Daemon</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/syslogd</string>
<string>-u</string>
</array>
<key>ServiceIPC</key>
<false/>
</dict>
</plist>
**********************************************************



**********************************************************
/bin/mv /var/log/remote.log /archivedlogs/`/bin/date +%m%d%y`.txt

launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

/usr/sbin/chown webtest /archivedlogs/`/bin/date +%m%d%y`.txt
/usr/bin/chgrp admin /archivedlogs/`/bin/date +%m%d%y`.txt
**********************************************************


[ Reply to This | # ]
10.4: Enable remote logging in 10.4
Authored by: tomichaeli on Nov 28, '07 11:49:20AM
To enable remote logging in 10.5 you should uncomment following at the end of "/System/Library/LaunchDaemons/com.apple.syslogd.plist" file.

<!--
                <key>NetworkListener</key>
                <dict>
                        <key>SockServiceName</key>
                        <string>syslog</string>
                        <key>SockType</key>
                        <string>dgram</string>
                </dict>
-->


[ Reply to This | # ]
Enable remote logging in 10.5
Authored by: bear8b on May 07, '08 02:56:36PM

Has anyone gotten this to work in 10.5? I mage the changes in syslog.conf and syslogd.plist. Still no go. I can see the syslogs messages coming in on Facility1, which is also a selector to a file, but nothing is written to any log files.

In syslogd.plist, I uncommented the last lines, restarted the processes, no joy. So I added the <string>-u</string> commands, restarted, still no go.

What am I missing?

Thanks



[ Reply to This | # ]
Enable remote logging in 10.5
Authored by: palouis on May 09, '08 08:08:39PM

well I have remote Syslog data coming into my server, my problem is that that I have discrete logs for that data, ie for log events from my router I have created /var/log/router.log

All works fine expect the router log is also getting local log events ... I can't stop them.

Pathetic documentation from Apple - het guys it ain't free so fix it.



---
________________
Cheers,

Paul



[ Reply to This | # ]
Enable remote logging (syslog) in 10.5
Authored by: xr4ti on Sep 12, '08 07:10:49PM

It's been a while since this was posted, but I just worked on getting my new router to use syslogd on 10.5. I had to do the steps shown below. Many of these steps are duplicates of the ones above, but the original title for this hint covered 10.4, and I figured someone searching for info about 10.5 would find it more easily if it's all in one place.

The key for getting this hint to work on my 10.5 implementation was that the piss-poor socket firewall has to allow syslogd to bind to port 514. There are three ways to do that, and I'll list them below.

The steps for enabling remote syslog in 10.5:

1. Figure out what syslog "facility" your remote device is using in its reports:
$ sudo tcpdump -s 0 -X port 514
(And it turns out my router uses local7, not local4.)

2. Create a file for the logs:
$ sudo touch /var/log/router.log

3. Save a copy of /etc/syslog.conf and then add a line for the new log:
local7.* /var/log/router.log

4. Uncomment the lines in /System/Library/LaunchDaemons/com.apple.syslogd.plist that are marked as being for remote syslog (they are shown under this hint).

5. Stop the old syslogd configuration and start using the one you've just set up:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

6. (10.5) Add syslogd to the programs allowed by the socket (Apple calls it "application") firewall (socketfilterfw, not ipfw). This can be done in three ways. You can: a) turn off the socket firewall (not my preferred way), b) add syslogd using the firewall GUI (also not my preference), or c) add syslogd to the list of core services.

a) you can turn off the Apple socket firewall in System Preferences->Security->Firewall. Choose "Allow all incoming connections".

b) you can add syslogd to the GUI by selecting "Set access for specific services and applications", then press the "+". In the "choose file" dialog, type <shift><command>G to go to /usr/sbin, then select syslogd. This approach makes it easier to remove the entry for syslogd, but prevents remote syslogging if you choose "Allow only essential services".

c) you can add syslogd to the list of core services by editing /usr/libexec/ApplicationFirewall/com.apple.alf.plist (note: there is a copy of this file at /Library/Preferences/com.apple.alf.plist but the libexec file appears to be the master, and it's ASCII). In a pinch, you can edit this ASCII file with your favorite text editor, or use the Property List Editor, from Developer Tools. Doing this editing is more complicated to describe than it is to do, so don't be too overwhelmed by the instructions below.

First, make a copy of the current file:
$ sudo cp -p /usr/libexec/ApplicationFirewall/com.apple.alf.plist /usr/libexec/ApplicationFirewall/com.apple.alf.plist_current

If you have the property list editor, you can type:
$ sudo open /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Using the plist editor, create a new sibling under the property called "exceptions". Change it's type to "dictionary". Create two children under it. Call the first child "Path", make it of type String, with the value /usr/sbin/syslogd. Call the second child "state", of type Number, value 3. (You can do this without the plist editor, but I'll leave that exercise to the reader :)

When you are done, save the result two ways: save it as a text file and as a binary property list file. Even though you ran sudo to edit the file, you won't be able to save the new files on top of the old ones (I suspect that's because of Apple's zealous adoption of ACLs). Save both files to a convenient place (your home directory, for example).

Next, set the permissions for the new files:
$ sudo chown root:admin <new binary file name> <new text file name>
$ sudo chmod 644 <new binary file name> <new text file name>

Then stop the socket firewall:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

And move the files into position:
$ sudo mv <new binary file name> /Library/Preferences/com.apple.alf.plist
$ sudo mv <new text file name> /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Then restart the socket firewall:
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist

[A word of caution on this method: it appears that Apple has designed these files to preserve your changes during a software update. But it's quite possible that the text version in /usr/libexec/ApplicationFirewall/com.apple.alf.plist will be over-written by a software update. Make a copy of the final result, and keep that in mind if you ever have to revert to the text version of the plist file.]

7. If you're security-minded, you probably aren't trusting Apple's socket firewall to do the whole job. If you're also using ipfw (I use WaterRoof to make it easier to use ipfw), you may need an ipfw rule to allow connections from your logging device to the syslogd port on your Mac. If your ipfw ruleset defaults* to "deny", you need a rule like this:

allow udp from <router ip address> to me dst-port 514 in

(* the default Apple rule for ipfw allows all traffic, making it almost useless. The more draconian approach to setting up firewall rules is to create a default deny statement just before Apple's default allow statement, which is built into the kernel.)


Phew! In the good old days of SunOS, it was a hell of a lot easier than it is now... and they call this 'progress'?



[ Reply to This | # ]
Enable remote logging (syslog) in 10.5
Authored by: JimMueller on Apr 18, '09 11:15:48AM

Oh, so close, xr4ti.
Thanks for the wealth of info in your comment.

I had to do some digging into what some terms you were meant. For example how to find the "facility" in the syslog data that was being sent to the syslog server. Adding a -v to the tcpdump command gave me a second line in each incoming message that said:
<code> Facility security (13), Severity info (6)</code>
so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.

The Mac we are trying to add syslog ability to has the firewall set to accept all incoming (Slap my wrist if you wish...) which is obviously true because it is seeing the correct tcpdump data coming in on the specified port.
Am I not reading the tcpdump data correctly? Do I need to run it with -vv to read what the facility tag really is?

I just tried a full reboot and there's still nothing getting written to the router log.



[ Reply to This | # ]
Enable remote logging (syslog) in 10.5
Authored by: pediger on Apr 21, '09 12:43:54PM
Facility security (13), Severity info (6) so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.
Try remoteauth.* instead of security.*. I recently had the same trouble routing my D-Link log to a Tiger machine. Rather than "security," Wireshark reports:

Facility: LOGAUDIT - log audit (13) and Level INFO - informational (6)

so like you I was trying logaudit.* and audit.*, etc.

If you look at /usr/include/sys/syslog.h you can see how the numbers (13 in this case) map into the facility text codes (remoteauth).

[ Reply to This | # ]

Enable remote logging (syslog) in 10.5
Authored by: adinb on Jul 22, '10 02:28:04PM

I have a netgear router that I'm trying to pull in its logs to a snow leopard blackbook. All the basics are working, but I have a little bit of wonkiness that I'm not sure how to fix.

After looking at my tcpdumps, I noticed that it's using a facility originator of 4 (which maps to 'auth').

Everything from my netgear now goes into secure.log (as it's supposed to). Is there any way to re-route the netgear syslog messages into its own file (i.e. netgear.log) without hi-jacking *all* of the local security messages that *should* be going to secure.log?



[ Reply to This | # ]
10.5: Enable remote logging in 10.5
Authored by: bear8b on May 09, '08 09:27:03PM

What changes did you make to the config files to get that much to work?



[ Reply to This | # ]