# [HOWTO] - Syslog remote events etc.



## DanInSFBay (Nov 23, 2004)

How to setup syslogd and syslog.conf to record remote and internal log events into individual log files using 10.3.6
I'd like to thank all those who created these various help posts.

First turn on remote sysloging:
http://docs.info.apple.com/article.html?artnum=107993 
Note:
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/syslogd.8.html

Then open UDP port 514 if required:
http://docs.info.apple.com/article.html?artnum=106439

Configure syslog.conf to log the events into a log file:
http://www.macosxhints.com/article.php?story=20040301223642276
http://forums.macosxhints.com/showthread.php?t=21236

My example:

In syslog.conf, above the first log line:
     *.err;kern.*;auth.notice; (blah blah)

add the folowing lines:

  # Log remote Airport Extreme 
  #airport IP address
  +1.2.3.4
  *.*<tab><tab>/var/log/AirportExtreme.log
  !*   #end block

  # Log router
  #remote router IP address
  +1.2.3.5
  *.*<tab><tab>/var/log/Router.log
  !*   #end block

  #OS X Server services
  # IPFW Firewall
  !ipfw
  *.*<tab><tab>/var/log/ipfw.log
  !*   #end block

  #CRON events (NOTE CASE)
  !CRON
  *.*<tab><tab>/var/log/RemoteFirewall.log
  !*   #end block

(etc.)

You can then exclude the log messages so they don't appear in other logs (I don't) using:    
http://forums.macosxhints.com/showthread.php?t=25815&highlight=syslog 

Remember to create (touch) the above log files.
You may want to modify your daily and weekly log rotation:
Ex. in 500.weekly look for this line and add your log file names:
    for i in ftp.log lookupd.log (blah blah) 

Again, the true authors:
http://forums.macosxhints.com/showthread.php?t=21236   --> send IPFW to its own log
http://www.macosxhints.com/article.php?story=20040301223642276  --> how to receive from remote hosts
http://www.oit.duke.edu/mac/OSX_logging.html --> Start and Stop syslogd etc.
http://docs.info.apple.com/article.html?artnum=107993  --> Turn on remote syslog server
http://forums.macosxhints.com/showthread.php?t=25815&highlight=syslog  --> exclude log events

and most important the missing OS X syslog.conf man page!  

http://www.freebsd.org/cgi/man.cgi?...ath=FreeBSD+5.3-RELEASE+and+Ports&format=html

I hope this helps...


----------



## scruffy (Nov 24, 2004)

Weird - that's nothing like the syslogd manpage that's actually included with 10.3.6 - check the manpage, it's tiny, for some much more minimal syslogd - it has about 4 flags, compared to, what, 16 on their webpage?

And even the syslog.conf manpage on apple's developer site doesn't include the !program stuff - one of the macosxhints forums you link to quotes FreeBSD distro's syslog.conf manpage, which seems to correspond to the version OS X uses...


----------



## Bubz (Oct 1, 2006)

I believe that in the example above, it should show +* to end the IP blocks.

#So IP block start
+1.2.3.4 #whatever the actual IP address is
#and end
+*

#Program block start
!ipfw #or whatever actual program name is
#Program block end
!*

At least this seems to be the behaviour in Tiger.


----------

