Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Enable remote logging (syslog) in 10.5' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Enable remote logging (syslog) in 10.5
Authored by: xr4ti on Sep 12, '08 07:10:49PM

It's been a while since this was posted, but I just worked on getting my new router to use syslogd on 10.5. I had to do the steps shown below. Many of these steps are duplicates of the ones above, but the original title for this hint covered 10.4, and I figured someone searching for info about 10.5 would find it more easily if it's all in one place.

The key for getting this hint to work on my 10.5 implementation was that the piss-poor socket firewall has to allow syslogd to bind to port 514. There are three ways to do that, and I'll list them below.

The steps for enabling remote syslog in 10.5:

1. Figure out what syslog "facility" your remote device is using in its reports:
$ sudo tcpdump -s 0 -X port 514
(And it turns out my router uses local7, not local4.)

2. Create a file for the logs:
$ sudo touch /var/log/router.log

3. Save a copy of /etc/syslog.conf and then add a line for the new log:
local7.* /var/log/router.log

4. Uncomment the lines in /System/Library/LaunchDaemons/com.apple.syslogd.plist that are marked as being for remote syslog (they are shown under this hint).

5. Stop the old syslogd configuration and start using the one you've just set up:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

6. (10.5) Add syslogd to the programs allowed by the socket (Apple calls it "application") firewall (socketfilterfw, not ipfw). This can be done in three ways. You can: a) turn off the socket firewall (not my preferred way), b) add syslogd using the firewall GUI (also not my preference), or c) add syslogd to the list of core services.

a) you can turn off the Apple socket firewall in System Preferences->Security->Firewall. Choose "Allow all incoming connections".

b) you can add syslogd to the GUI by selecting "Set access for specific services and applications", then press the "+". In the "choose file" dialog, type <shift><command>G to go to /usr/sbin, then select syslogd. This approach makes it easier to remove the entry for syslogd, but prevents remote syslogging if you choose "Allow only essential services".

c) you can add syslogd to the list of core services by editing /usr/libexec/ApplicationFirewall/com.apple.alf.plist (note: there is a copy of this file at /Library/Preferences/com.apple.alf.plist but the libexec file appears to be the master, and it's ASCII). In a pinch, you can edit this ASCII file with your favorite text editor, or use the Property List Editor, from Developer Tools. Doing this editing is more complicated to describe than it is to do, so don't be too overwhelmed by the instructions below.

First, make a copy of the current file:
$ sudo cp -p /usr/libexec/ApplicationFirewall/com.apple.alf.plist /usr/libexec/ApplicationFirewall/com.apple.alf.plist_current

If you have the property list editor, you can type:
$ sudo open /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Using the plist editor, create a new sibling under the property called "exceptions". Change it's type to "dictionary". Create two children under it. Call the first child "Path", make it of type String, with the value /usr/sbin/syslogd. Call the second child "state", of type Number, value 3. (You can do this without the plist editor, but I'll leave that exercise to the reader :)

When you are done, save the result two ways: save it as a text file and as a binary property list file. Even though you ran sudo to edit the file, you won't be able to save the new files on top of the old ones (I suspect that's because of Apple's zealous adoption of ACLs). Save both files to a convenient place (your home directory, for example).

Next, set the permissions for the new files:
$ sudo chown root:admin <new binary file name> <new text file name>
$ sudo chmod 644 <new binary file name> <new text file name>

Then stop the socket firewall:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

And move the files into position:
$ sudo mv <new binary file name> /Library/Preferences/com.apple.alf.plist
$ sudo mv <new text file name> /usr/libexec/ApplicationFirewall/com.apple.alf.plist

Then restart the socket firewall:
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist

[A word of caution on this method: it appears that Apple has designed these files to preserve your changes during a software update. But it's quite possible that the text version in /usr/libexec/ApplicationFirewall/com.apple.alf.plist will be over-written by a software update. Make a copy of the final result, and keep that in mind if you ever have to revert to the text version of the plist file.]

7. If you're security-minded, you probably aren't trusting Apple's socket firewall to do the whole job. If you're also using ipfw (I use WaterRoof to make it easier to use ipfw), you may need an ipfw rule to allow connections from your logging device to the syslogd port on your Mac. If your ipfw ruleset defaults* to "deny", you need a rule like this:

allow udp from <router ip address> to me dst-port 514 in

(* the default Apple rule for ipfw allows all traffic, making it almost useless. The more draconian approach to setting up firewall rules is to create a default deny statement just before Apple's default allow statement, which is built into the kernel.)


Phew! In the good old days of SunOS, it was a hell of a lot easier than it is now... and they call this 'progress'?



[ Reply to This | # ]
Enable remote logging (syslog) in 10.5
Authored by: JimMueller on Apr 18, '09 11:15:48AM

Oh, so close, xr4ti.
Thanks for the wealth of info in your comment.

I had to do some digging into what some terms you were meant. For example how to find the "facility" in the syslog data that was being sent to the syslog server. Adding a -v to the tcpdump command gave me a second line in each incoming message that said:
<code> Facility security (13), Severity info (6)</code>
so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.

The Mac we are trying to add syslog ability to has the firewall set to accept all incoming (Slap my wrist if you wish...) which is obviously true because it is seeing the correct tcpdump data coming in on the specified port.
Am I not reading the tcpdump data correctly? Do I need to run it with -vv to read what the facility tag really is?

I just tried a full reboot and there's still nothing getting written to the router log.



[ Reply to This | # ]
Enable remote logging (syslog) in 10.5
Authored by: pediger on Apr 21, '09 12:43:54PM
Facility security (13), Severity info (6) so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.
Try remoteauth.* instead of security.*. I recently had the same trouble routing my D-Link log to a Tiger machine. Rather than "security," Wireshark reports:

Facility: LOGAUDIT - log audit (13) and Level INFO - informational (6)

so like you I was trying logaudit.* and audit.*, etc.

If you look at /usr/include/sys/syslog.h you can see how the numbers (13 in this case) map into the facility text codes (remoteauth).

[ Reply to This | # ]

Enable remote logging (syslog) in 10.5
Authored by: adinb on Jul 22, '10 02:28:04PM

I have a netgear router that I'm trying to pull in its logs to a snow leopard blackbook. All the basics are working, but I have a little bit of wonkiness that I'm not sure how to fix.

After looking at my tcpdumps, I noticed that it's using a facility originator of 4 (which maps to 'auth').

Everything from my netgear now goes into secure.log (as it's supposed to). Is there any way to re-route the netgear syslog messages into its own file (i.e. netgear.log) without hi-jacking *all* of the local security messages that *should* be going to secure.log?



[ Reply to This | # ]