How do you enable syslogd to accept incoming connections on Snow Leopard from remote loggers?
Solution 1
I haven't tried this, but I looked in the plist for syslogd (/System/Library/LaunchDaemons/com.apple.syslogd.plist) and see this part commented out:
<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->
<!--
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
-->
Remove the comments and then reload the service:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
and you're likely on your way.
Answer to your secondary question -- newsyslog is similar to logrotate often found on linux systems. man newsyslog (or online) will tell you more.
As installed with Snow Leopard, it is run every 30 minutes by launchd per this bit in its plist:
<key>StartCalendarInterval</key>
<dict>
<key>Minute</key>
<integer>30</integer>
</dict>
Solution 2
Note that if you're trying to do this on a Snow Leopard Server machine (at least with 10.6.4), you'll find that there is no commented-out section in /System/Library/LaunchDaemons/com.apple.syslogd.plist (and that the plist file is stored in a binary format).
However, copying and pasting the key that Doug quotes above will do the trick, although first you will need to convert the format of the file to text thusly:
sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist
...and you should probably convert it back afterwards (conversions happen in situ):
sudo plutil -convert binary1 /System/Library/LaunchDaemons/com.apple.syslogd.plist
...then reload the launchd daemon per Doug's instructions.
Afterwards the full plist file should read as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnableTransactions</key>
<true/>
<key>HopefullyExitsLast</key>
<true/>
<key>Label</key>
<string>com.apple.syslogd</string>
<key>MachServices</key>
<dict>
<key>com.apple.system.logger</key>
<true/>
</dict>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/syslogd</string>
</array>
<key>Sockets</key>
<dict>
<key>AppleSystemLogger</key>
<dict>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/asl_input</string>
</dict>
<key>BSDSystemLogger</key>
<dict>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>
One more note: if, like me, you want to send your AirPort base stations' (and/or Time Capsules') syslog outputs to your server, they use facility 0, which cannot be changed. This means that they will be automatically logged to /var/log/appfirewall.log because of the following default entry in /etc/syslog.conf:
local0.* /var/log/appfirewall.log
On the Server version of the OS, you can safely change the filename to e.g. AirPort.log once you've issued the following command:
sudo touch /var/log/AirPort.log
...since Apple's Application Firewall (socketfilterfw) is off by default (and should remain off on a server—ipfw is all you really want). I'm not sure if it's possible to reconfigure socketfilterfw to use a different syslog facility.
Solution 3
Another method of enabling network access to syslogd on Snow Leopard is using the command line program PlistBuddy,
sudo /usr/libexec/PlistBuddy /System/Library/LaunchDaemons/com.apple.syslogd.plist
add :Sockets:NetworkListener dict
add :Sockets:NetworkListener:SockServiceName string syslog
add :Sockets:NetworkListener:SockType string dgram
save
quit
And then restart the daemon,
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist
You can use lsof to check that syslogd is now listening on the standard syslog port, 514,
$ sudo lsof -i:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root 44u IPv6 0x0e459370 0t0 UDP *:syslog
launchd 1 root 56u IPv4 0x0f7a9ef0 0t0 UDP *:syslog
syslogd 24319 root 5u IPv6 0x0e459370 0t0 UDP *:syslog
syslogd 24319 root 6u IPv4 0x0f7a9ef0 0t0 UDP *:syslog
Related videos on Youtube
12 : 49
14 : 04
07 : 41
09 : 33
03 : 47
Emmel
Updated on September 17, 2022Comments
-
Emmel almost 2 years
How do I get syslogd to accept incoming connections from remote hosts on Snow Leopard?
I'd like to centralize logging such that various devices and systems send logs to Snow Leopard's syslogd, which normally hangs out on UDP 514. However, I'm unable to get them to successfully be accepted by good ole syslogd. I tcpdumped on the Snow Leopard box to verify that packets are being spouted to port 514 -- they are. I checked that syslogd is listening on 514 -- it's not.
Googling around told me that, on older versions of OSX (don't you love the way things change so rapidly on OSX), one just had to add a flag to the syslogd daemon to allow remote; one did this in com.apple.syslogd.plist. However the syslogd daemon has no flags (at least in its man page) that suggests any remote anything.
What's the solution to this?
Secondary, less import but relevant question: What's 'newsyslog'? I see a plist file but it's not running (apparently).
Thanks
-
Emmel about 14 yearsAwesome! That's exactly the answer I was looking for. I just tested it and yes, confirmed it works. Thanks, Doug.
-
Yarek T over 13 yearsJust what I was looking for, perfect answer!
-
Dennis Wurster almost 13 yearsThis was exactly what I was trying to do! Namely, get my 4 AEBSs to log to my Xserve running SLS. Much appreciated!
-
tgunr over 11 yearsI usually add the -udp_in arg so I can tell from a ps command if I have it running as a remote listener.
<key>ProgramArguments</key> <array> <string>/usr/sbin/syslogd</string> <string>-udp_in</string> </array> -
Steve Powell over 9 yearsThis solution appears to work in Yosemite, too. Thank you.
