A bit of followup:

• The local4 change to syslog.conf is an application/host-specific modification. It'll be ineffective unless something generates syslog messages for it (e.g. the firewall mentioned in the original hint you referred to).

• You could run "Go to Folder..." [shift-command-G] from Finder, type /System/Library/LaunchDaemons to open that folder (or, "open ..." it from Terminal), then drag/drop com.apple.syslogd.plist to whichever writable location you want to save a backup copy. Saving it on the Desktop is probably not the best choice.

• It's not necessary to type the full pathname for launchctl paths. Also, restarting the syslog daemon can be accomplished by sending it a SIGHUP (e.g. "killall -HUP syslogd).

• Peter Borg's Lingon is a nice GUI for creating/controlling launchd config files.

[ Reply to This | # ]

Hi,

Thks 4 the hint. It works fine to the extent that the machine is listening to the router and i can use the "tail -f /var/log/system.log" command to check it. However, nothing is written to the log file i specify. Here are the config files i use . Anything i am doing wrong ?

thks,

laurent

**********************************************************
*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console
*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit;local4.none /var/log/system.log

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
authpriv.*;remoteauth.crit /var/log/secure.log

lpr.info /var/log/lpr.log
mail.* /var/log/mail.log
ftp.* /var/log/ftp.log
netinfo.err /var/log/netinfo.log
install.* /var/log/install.log
install.* @127.0.0.1:32376
local0.* /var/log/ipfw.log
local4.* /var/log/remote.log


*.emerg *

**********************************************************


**********************************************************
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">;
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.syslogd</string>
<key>ServiceDescription</key>
<string>Apple System Log Daemon</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/syslogd</string>
<string>-u</string>
</array>
<key>ServiceIPC</key>
<false/>
</dict>
</plist>
**********************************************************



**********************************************************
/bin/mv /var/log/remote.log /archivedlogs/`/bin/date +%m%d%y`.txt

launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

/usr/sbin/chown webtest /archivedlogs/`/bin/date +%m%d%y`.txt
/usr/bin/chgrp admin /archivedlogs/`/bin/date +%m%d%y`.txt
**********************************************************


[ Reply to This | # ]

To enable remote logging in 10.5 you should uncomment following at the end of "/System/Library/LaunchDaemons/com.apple.syslogd.plist" file.

<!--
                <key>NetworkListener</key>
                <dict>
                        <key>SockServiceName</key>
                        <string>syslog</string>
                        <key>SockType</key>
                        <string>dgram</string>
                </dict>
-->

[ Reply to This | # ]

Has anyone gotten this to work in 10.5? I mage the changes in syslog.conf and syslogd.plist. Still no go. I can see the syslogs messages coming in on Facility1, which is also a selector to a file, but nothing is written to any log files.

In syslogd.plist, I uncommented the last lines, restarted the processes, no joy. So I added the <string>-u</string> commands, restarted, still no go.

What am I missing?

Thanks

[ Reply to This | # ]

well I have remote Syslog data coming into my server, my problem is that that I have discrete logs for that data, ie for log events from my router I have created /var/log/router.log

All works fine expect the router log is also getting local log events ... I can't stop them.

Pathetic documentation from Apple - het guys it ain't free so fix it.



---
________________
Cheers,

Paul

[ Reply to This | # ]

It's been a while since this was posted, but I just worked on getting my new router to use syslogd on 10.5. I had to do the steps shown below. Many of these steps are duplicates of the ones above, but the original title for this hint covered 10.4, and I figured someone searching for info about 10.5 would find it more easily if it's all in one place.

The key for getting this hint to work on my 10.5 implementation was that the piss-poor socket firewall has to allow syslogd to bind to port 514. There are three ways to do that, and I'll list them below.

The steps for enabling remote syslog in 10.5:

1. Figure out what syslog "facility" your remote device is using in its reports:
$ sudo tcpdump -s 0 -X port 514
(And it turns out my router uses local7, not local4.)

2. Create a file for the logs:
$ sudo touch /var/log/router.log

3. Save a copy of /etc/syslog.conf and then add a line for the new log:
local7.* /var/log/router.log

4. Uncomment the lines in /System/Library/LaunchDaemons/com.apple.syslogd.plist that are marked as being for remote syslog (they are shown under this hint).

5. Stop the old syslogd configuration and start using the one you've just set up:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

6. (10.5) Add syslogd to the programs allowed by the socket (Apple calls it "application") firewall (socketfilterfw, not ipfw). This can be done in three ways. You can: a) turn off the socket firewall (not my preferred way), b) add syslogd using the firewall GUI (also not my preference), or c) add syslogd to the list of core services.

a) you can turn off the Apple socket firewall in System Preferences->Security->Firewall. Choose "Allow all incoming connections".

b) you can add syslogd to the GUI by selecting "Set access for specific services and applications", then press the "+". In the "choose file" dialog, type <shift><command>G to go to /usr/sbin, then select syslogd. This approach makes it easier to remove the entry for syslogd, but prevents remote syslogging if you choose "Allow only essential services".

c) you can add syslogd to the list of core services by editing /usr/libexec/ApplicationFirewall/com.apple.alf.plist (note: there is a copy of this file at /Library/Preferences/com.apple.alf.plist but the libexec file appears to be the master, and it's ASCII). In a pinch, you can edit this ASCII file with your favorite text editor, or use the Property List Editor, from Developer Tools. Doing this editing is more complicated to describe than it is to do, so don't be too overwhelmed by the instructions below.

First, make a copy of the current file:
$ sudo cp -p /usr/libexec/ApplicationFirewall/com.apple.alf.plist /usr/libexec/ApplicationFirewall/com.apple.alf.plist_current

If you have the property list editor, you can type:
$ sudo open /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Using the plist editor, create a new sibling under the property called "exceptions". Change it's type to "dictionary". Create two children under it. Call the first child "Path", make it of type String, with the value /usr/sbin/syslogd. Call the second child "state", of type Number, value 3. (You can do this without the plist editor, but I'll leave that exercise to the reader :)

When you are done, save the result two ways: save it as a text file and as a binary property list file. Even though you ran sudo to edit the file, you won't be able to save the new files on top of the old ones (I suspect that's because of Apple's zealous adoption of ACLs). Save both files to a convenient place (your home directory, for example).

Next, set the permissions for the new files:
$ sudo chown root:admin <new binary file name> <new text file name>
$ sudo chmod 644 <new binary file name> <new text file name>

Then stop the socket firewall:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

And move the files into position:
$ sudo mv <new binary file name> /Library/Preferences/com.apple.alf.plist
$ sudo mv <new text file name> /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Then restart the socket firewall:
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist

[A word of caution on this method: it appears that Apple has designed these files to preserve your changes during a software update. But it's quite possible that the text version in /usr/libexec/ApplicationFirewall/com.apple.alf.plist will be over-written by a software update. Make a copy of the final result, and keep that in mind if you ever have to revert to the text version of the plist file.]

7. If you're security-minded, you probably aren't trusting Apple's socket firewall to do the whole job. If you're also using ipfw (I use WaterRoof to make it easier to use ipfw), you may need an ipfw rule to allow connections from your logging device to the syslogd port on your Mac. If your ipfw ruleset defaults* to "deny", you need a rule like this:

allow udp from <router ip address> to me dst-port 514 in

(* the default Apple rule for ipfw allows all traffic, making it almost useless. The more draconian approach to setting up firewall rules is to create a default deny statement just before Apple's default allow statement, which is built into the kernel.)


Phew! In the good old days of SunOS, it was a hell of a lot easier than it is now... and they call this 'progress'?

[ Reply to This | # ]

Oh, so close, xr4ti.
Thanks for the wealth of info in your comment.

I had to do some digging into what some terms you were meant. For example how to find the "facility" in the syslog data that was being sent to the syslog server. Adding a -v to the tcpdump command gave me a second line in each incoming message that said:
<code> Facility security (13), Severity info (6)</code>
so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.

The Mac we are trying to add syslog ability to has the firewall set to accept all incoming (Slap my wrist if you wish...) which is obviously true because it is seeing the correct tcpdump data coming in on the specified port.
Am I not reading the tcpdump data correctly? Do I need to run it with -vv to read what the facility tag really is?

I just tried a full reboot and there's still nothing getting written to the router log.

[ Reply to This | # ]

Facility security (13), Severity info (6) so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.

Try remoteauth.* instead of security.*. I recently had the same trouble routing my D-Link log to a Tiger machine. Rather than "security," Wireshark reports:

Facility: LOGAUDIT - log audit (13) and Level INFO - informational (6)

so like you I was trying logaudit.* and audit.*, etc.

If you look at /usr/include/sys/syslog.h you can see how the numbers (13 in this case) map into the facility text codes (remoteauth).

[ Reply to This | # ]

I have a netgear router that I'm trying to pull in its logs to a snow leopard blackbook. All the basics are working, but I have a little bit of wonkiness that I'm not sure how to fix.

After looking at my tcpdumps, I noticed that it's using a facility originator of 4 (which maps to 'auth').

Everything from my netgear now goes into secure.log (as it's supposed to). Is there any way to re-route the netgear syslog messages into its own file (i.e. netgear.log) without hi-jacking *all* of the local security messages that *should* be going to secure.log?

[ Reply to This | # ]

What changes did you make to the config files to get that much to work?

[ Reply to This | # ]