Special thanks to helpful reader PeterK who was kind enough to respond to a previous post on this site about syslogd and FreeRADIUS. (I’m still accepting responses, by the way.) His input made this tutorial possible.
Many network devices such as routers, firewalls, and wireless access points, have the ability to send logging messages to other listening devices called syslog servers. Mac OS X uses a syslog server daemon to record its own logging information, and that same daemon can be configured to accept logging information from external devices as well. In this quick tutorial, we’ll do just that by editing a text file and using a new Tiger feature.
Starting with Tiger, syslogd is initiated upon system startup by launchd, a new Apple daemon that manages the instantiation of other daemons and processes. System daemons are launched with the aid of a plist, an XML text file, placed in /System/Library/LaunchDaemons, and a file in that folder, named com.apple.syslogd.plist, is what we must edit to enable external logging functionality.
It’s probably simplest to edit this plist in the Terminal. Backing up this plist file before editing it is a good idea, so start up Terminal and enter this line at the prompt:
sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist ~/Desktop/
For those unfamiliar with the Terminal, this command copies the plist file to the desktop for temporary safekeeping. The command to restore the file back to its original state is inversely thus:
sudo cp ~/Desktop/com.apple.syslogd.plist /System/Library/LaunchDaemons/
Next, we proceed to edit the plist:
sudo nano /System/Library/LaunchDaemons/com.apple.syslogd.plist
This line starts up the text editor nano as the root user to edit the plist file mentioned above. Scroll down to this line:
<string>/usr/sbin/syslogd</string>
…and add the following directly below it:
<string>-u</string>
Save and exit. The -u we’ve inserted is a switch at the end of the syslogd command that tells the process to listen on UDP port 514. Now that syslogd is ready to receive logging messages from other devices, we have to stop the current running syslogd process and restart it with the new option to listen.
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
launchctl is a utility that instructs launchd to load and unload daemons, among other things. To verify that syslogd is receiving logging messages from external devices, we can watch the system log in action with this command:
tail -f /var/log/system.log
The last screenful of the syslog will be displayed. When new events are received by syslogd, they’ll be displayed on the screen and written to the log. Control-c will terminate the syslog watch.
That was easy! Well… wait for it… there’s a catch. (You knew that, didn’t you?) As of 10.4.1, there is a bug of some kind that affects syslogd. Each day in the wee hours of the morning, your Mac runs a script called /etc/periodic/daily/500.daily. Near the end of that script, the syslogd process is killed using the old-fashioned Unix kill command and when it restarts, for whatever reason, syslogd simply ceases to function. Not only does it not pay attention to log messages sent from other devices, it doesn’t bother to record logging information from the local machine.
Fortunately, there’s a simple fix. Also near the end of 500.daily, there is a command to call up another file named /etc/daily.local. This file is intended to execute additional commands for specific machines on a daily basis. This file may or may not already exist on your Mac. Either way, let’s edit (or create) it with the following command in the terminal:
sudo nano /etc/daily.local
The contents of this file are pretty simple.
launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
Save and exit. This script stops and restarts the syslogd process via launchd so that it once again will listen for external logging messages. This script differs just a bit from the commands we used at the terminal. Since 500.daily runs as root and calls up daily.local, daily.local also runs as root, so the sudo command is not needed for launchctl. Also, we’ve inserted a sleep command to give the computer a second to catch its breath.
My .Mac Web Gallery
Loading ...
June 4th, 2005 at 8:53 pm
Information Security and Forensic Oriented Architectures (Part Two)In a previous blog entry, I discussed part one on Information Security and Forensic Oriented Architectures. Today, will cover additional aspects……
May 30th, 2006 at 9:27 pm
Rather than directly editing the .plist, it might be easier to use:
sudo defaults write /System/Library/LaunchDaemons/com.apple.syslogd ProgramArguments -array-add -u
Be forewarned that defaults will append a .plist extension, so do not to use tab-completion to get com.apple.syslogd.plist, because then defaults will be looking for a file com.apple.syslogd.plist.plist, which is silly silly.
Then go ahead with the
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
May 30th, 2006 at 10:09 pm
Arek,
Excellent suggestion! Thanks for adding that. I’m not used to using defaults write, and any efficient tidbits like that are certainly welcome.
July 4th, 2006 at 9:53 pm
The problem with /etc/daily killing also happens with /etc/weekly and /etc/monthly. So to avoid repeating the same fix, I simply created symbolic links for /etc/weekly.local and monthly.local, like this:
sudo ln -s /etc/daily.local /etc/weekly.local
sudo ln -s /etc/daily.local /etc/monthly.local
Now if I need to modify the “syslog fix” I only need to edit daily.local and those changes are automatically replicated to the weekly and monthly “.local” scripts too. (man ln).
BTW - thanks for publishing this fix, it’s been bugging me for days why syslog just dies after making it listen to my firewall
Cheers!
Greetings from Australia
July 4th, 2006 at 10:48 pm
Another excellent suggestion. Thanks for taking the time to help others with that comment.
December 2nd, 2006 at 7:37 pm
Anyone any clue as how to seperate the various external devices into their own logs?
I’ve read the manpage and stuff… no clue on how to bind things to f.e. an IP-address or a name and/or IP-addres. Just to make things readable and keep them seperated.
Anyone?
April 30th, 2007 at 6:28 pm
A nice way to relaunch com.apple.syslogd.plist is:
launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist && launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
To make things readable and keep them seperated in your logs:
/etc/syslog.conf
.
.
.
+192.168.10.100
local6.* /var/log/192.168.10.100.log
.
.
.
writes everything from 192.168.10.100 into /var/log/192.168.10.100.log
cheers
jens
June 25th, 2007 at 6:43 pm
Jens,
Im not bashing you, but could you please be a little less vague. I’m using OS X 10.4.10, and I cannot get my router’s syslog info to load into it’s own log, as you described. It continues to feed into /var/log/system.log.
Can you please explain line by line how to get syslog info from my router into its own log folder in “/var/log/router”? What is the significance of local6? Why not local4 or local1? Does it matter? What tells syslog.conf to look for my router log and direct it to its own log folder?
Thanks!
June 30th, 2007 at 11:59 am
D’oh! I figured it out. Works great now! I can see my router logs from the console, in it’s own log file… awesome! I took peices of info from Jens comment and parts from the MacOSXhints page on this topic and sort of combined them. Had to edit the second line of syslog.config and adding local1.none, then adding that bit of info to the bottom, and …. dam… it would be better if I just showed you all a screen shot of the nano window. Oh well. If anyone wants to see it, shoot me an email at squid3660@yahoo.com.
James Gray… thanks for the weekly and monthly fix! Ingenious.
And thanks to Aaron for posting explicit instructions to get this to work!
July 12th, 2007 at 3:27 pm
According to the help file for Airport Utility, it sends logs using local0.* (That’s a zero). If this helps anyone.
March 28th, 2008 at 10:30 pm
[...] Aaron Adams’s Lame-ass Blog » Blog Archive » Configuring Tiger’s syslogd to accept logs from e… (tags: osx apple itsm) [...]
August 12th, 2008 at 9:22 am
Just an extension for OSX 10.5.x - see http://steen.lykking.dk/?p=45, the above mentioned “-u” option is no longer functioning on Leopard. Thanks anyway for comprehensive description!