Home

Enable an Apple Mac OS X machine as a syslog server

Here is a small howto that describes how your Mac OS X machine can also receive logs from remote devices such as an Apple Airport Extreme. There are some howto's available online, but I guess that somethings have changed in 10.5, none seem to work perfectly.

Change syslogd configuration

# echo "local0.notice /var/log/airport.log" >> /etc/syslog.conf

Touch the logfile

# touch /var/log/airport.log

Change syslogd startup procedure

At the end of the file, uncomment the part to accept remote logging.

# cat /System/Library/LaunchDaemons/com.apple.syslogd.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.syslogd</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
<!--
Un-comment the following lines to run syslogd with a sandbox profile.
Sandbox profiles restrict processes from performing unauthorized
operations; so it may be necessary to update the profile
(/usr/share/sandbox/syslogd.sb) if any changes are made to the syslog
configuration (/etc/syslog.conf).
-->
<!--
<string>/usr/bin/sandbox-exec</string>
<string>-f</string>
<string>/usr/share/sandbox/syslogd.sb</string>
-->
<string>/usr/sbin/syslogd</string>
    </array>
<key>MachServices</key>
<dict>
<key>com.apple.system.logger</key>
<true/>
</dict>
<key>Sockets</key>
<dict>
<key>AppleSystemLogger</key>
<dict>
<key>SockPathName</key>
<string>/var/run/asl_input</string>
<key>SockPathMode</key>
<integer>438</integer>
</dict>
<key>BSDSystemLogger</key>
<dict>
<key>SockPathName</key>
<string>/var/run/syslog</string>
<key>SockType</key>
<string>dgram</string>
<key>SockPathMode</key>
<integer>438</integer>
</dict>
<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>

Restart syslogd

# launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
# launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Open the firewall

Go the the System Preferences, click Security, open the Firewall tab and click the +. Select the file /usr/bin/syslog.
If you are unable to select the /usr directory, try this hack by opening a terminal and typing:

$ cd
$ ln -s /usr/bin
$ ln -s /usr/sbin

Now you can select the file (in your home directory) ./bin/syslog and ./sbin/syslogd

Configure remote devices

Now tell the remote devices (Like the Apple Airport Extremes) to dump their log at the IP address of your Mac OS X machine.

See the result

Now either open the application "Console" or from a terminal, run "tail -f /var/log/airport.log" to see the results as they come in.

Comments

Thu, 01/12/2012 - 18:07 — Adam (not verified)

Does this work on more recent

Does this work on more recent releases of macOS (10.6.8)?

I followed the instructions, and got a race where syslogd wanted to write somewhere, was denied, and my cpu was fully chewed up.

Jan 12 08:41:54 desktop sandboxd[955]: syslogd(1175) deny mach-task-name
Jan 12 08:41:56: --- last message repeated 499 times ---
Jan 12 08:41:55 desktop sandboxd[955]: *** process 955 exceeded 500 log message per second limit - remaining messages this second discarded ***

Fri, 01/13/2012 - 17:14 — Adam (not verified)

Digging into my syslog, I

Digging into my syslog, I think that 2 changes should address it, but haven't fully tested yet:

1. Add storedata rule:

(allow file-write* file-read-data file-read-metadata
(regex #"^(/private)?/dev/console$"
#"^(/private)?/var/log/.*\.log$"
#"^(/private)?/var/log/asl\.db$"
#"^(/private)?/var/log/asl/StoreData$"))

2. Allow an ioctl to /dev/klog:
(allow file-ioctl (literal "/dev/klog"))

Wed, 11/30/2011 - 20:09 — Gyp the Cat (not verified)

This was perfect. quick and

This was perfect. quick and easy just what I was looking for.

I spend quite a lot of time on clients sites with my Mac, and before I read this I had to boot into Windows. Now I can stay happily on my desktop :)

I've used your tutorial on Cisco, Nokia, Checkpoint and Stonegate appliances and it works a treat, thanks for sharing.

Gyp

Tue, 04/19/2011 - 10:47 — cosmetic veneers yuma az (not verified)

I think you have done a great

I think you have done a great research.
thanks for all the codes. Also you have added the security part, which according to me is really very important.
With all the codes, I think it will work perfectly..
Great Work!!
cosmetic veneers yuma az

Wed, 05/18/2011 - 08:36 — dim (not verified)

Kiwi Syslog Server is one of

Kiwi Syslog Server is one of the most reliable Windows ®-based syslog servers on the market. Easy to install and configure, it provides a feature rich solution for receiving, recording, displays, alarms and transmission of syslog and SNMP messages from network devices like routers, switches, Linux and Unix syslog hosts and booby traps - devices.location admitted in a garage, and reduce noise and heat in the house.
Alex

Wed, 03/04/2009 - 16:13 — GaryM (not verified)

I am confused. I already have

I am confused. I already have a local0 entry. How does this know airport messages should go in the Airport log?
In fact, this stuff is now showing up in the appfirewall log which is the other local0 entry.

Thu, 03/05/2009 - 08:40 — Robert de Bock

If you already have a local0

If you already have a local0 entry, you will find the Airport logs in the file/host/device that's refered to there.

In that case you might want to change the Airport configuration to use an unused entry like local1. When that's done, you need to modify /etc/syslog.conf to store local1 in some specific file.

Sat, 03/07/2009 - 21:15 — GaryM (not verified)

Thanks for the comment.

Thanks for the comment. However, it isn't obvious where I would make that change. I see nothing associating the airport name with anything in the syslog.conf. Note that I have added an entry of form +xxx.yyy.zzz.200 to provide the addresses of the boxes in the syslog.conf.

Sat, 01/07/2012 - 13:35 — Anonymous (not verified)

Then we are two. I have the

Then we are two. I have the same "problem". The only thing I found was that Cisco IOS devices, CatOS switches, and VPN 3000 Concentrators use facility local7 while Cisco PIX Firewalls use local4 to send syslog messages. Like it's some kind of standard. But let's say we got 2 or 3 airport and we need to save them in different .log files.

You can't do it like this:
local0.* /var/log/airport_office.log
local0.* /var/log/airport_guest.log
local0.* /var/log/airport_reception.log

Tue, 01/10/2012 - 11:17 — Robert de Bock

Correct, that's not really

Correct, that's not really possible with syslog.

Syslog knows only a new differentiators; facilities (kern, user, auth, etc ) and level. (debug, info, notice, etc).

In case you really need to differentiate per host you can:
- Startup as many syslog daemons are required, all using different hostname. (not recommended.)
- Use Syslog-ng. This know a syntax like this:
destination std { file( "/var/log/$HOST/$FACILITY"); };

I guess syslog-ng is the best solution.

About Consultancy Articles Contact
References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning robert@meinit.nl