[HOWTO] - Syslog remote events etc.

Discussion in 'HOWTO & FAQs' started by DanInSFBay, Nov 23, 2004.

  1. DanInSFBay

    DanInSFBay
    uix_expand uix_collapse
    Registered

    Joined:
    Oct 21, 2004
    Messages:
    3
    Likes Received:
    0
    How to setup syslogd and syslog.conf to record remote and internal log events into individual log files using 10.3.6
    I'd like to thank all those who created these various help posts.

    First turn on remote sysloging:
    http://docs.info.apple.com/article.html?artnum=107993
    Note:
    http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/syslogd.8.html

    Then open UDP port 514 if required:
    http://docs.info.apple.com/article.html?artnum=106439

    Configure syslog.conf to log the events into a log file:
    http://www.macosxhints.com/article.php?story=20040301223642276
    http://forums.macosxhints.com/showthread.php?t=21236

    My example:

    In syslog.conf, above the first log line:
    *.err;kern.*;auth.notice; (blah blah)

    add the folowing lines:

    # Log remote Airport Extreme
    #airport IP address
    +1.2.3.4
    *.*<tab><tab>/var/log/AirportExtreme.log
    !* #end block

    # Log router
    #remote router IP address
    +1.2.3.5
    *.*<tab><tab>/var/log/Router.log
    !* #end block

    #OS X Server services
    # IPFW Firewall
    !ipfw
    *.*<tab><tab>/var/log/ipfw.log
    !* #end block

    #CRON events (NOTE CASE)
    !CRON
    *.*<tab><tab>/var/log/RemoteFirewall.log
    !* #end block

    (etc.)

    You can then exclude the log messages so they don't appear in other logs (I don't) using:
    http://forums.macosxhints.com/showthread.php?t=25815&highlight=syslog

    Remember to create (touch) the above log files.
    You may want to modify your daily and weekly log rotation:
    Ex. in 500.weekly look for this line and add your log file names:
    for i in ftp.log lookupd.log (blah blah)

    Again, the true authors:
    http://forums.macosxhints.com/showthread.php?t=21236 --> send IPFW to its own log
    http://www.macosxhints.com/article.php?story=20040301223642276 --> how to receive from remote hosts
    http://www.oit.duke.edu/mac/OSX_logging.html --> Start and Stop syslogd etc.
    http://docs.info.apple.com/article.html?artnum=107993 --> Turn on remote syslog server
    http://forums.macosxhints.com/showthread.php?t=25815&highlight=syslog --> exclude log events

    and most important the missing OS X syslog.conf man page!

    http://www.freebsd.org/cgi/man.cgi?...ath=FreeBSD+5.3-RELEASE+and+Ports&format=html

    I hope this helps...
     
  2. scruffy

    scruffy
    uix_expand uix_collapse
    Notorious Olive Counter

    Joined:
    Dec 6, 2000
    Messages:
    1,725
    Likes Received:
    0
    Weird - that's nothing like the syslogd manpage that's actually included with 10.3.6 - check the manpage, it's tiny, for some much more minimal syslogd - it has about 4 flags, compared to, what, 16 on their webpage?

    And even the syslog.conf manpage on apple's developer site doesn't include the !program stuff - one of the macosxhints forums you link to quotes FreeBSD distro's syslog.conf manpage, which seems to correspond to the version OS X uses...
     
  3. Bubz

    Bubz
    uix_expand uix_collapse
    Registered

    Joined:
    Oct 1, 2006
    Messages:
    1
    Likes Received:
    0
    I believe that in the example above, it should show +* to end the IP blocks.

    #So IP block start
    +1.2.3.4 #whatever the actual IP address is
    #and end
    +*

    #Program block start
    !ipfw #or whatever actual program name is
    #Program block end
    !*

    At least this seems to be the behaviour in Tiger.
     

Share This Page