Community:HowTo Configure Mac OS X Syslog To Forward Data
From Splunk Wiki
This tutorial shows how to configure Mac OS X to forward syslog events to a remote server.
The following configuration steps were tested and validated on a MacBook Pro running Mac OS X 10.6.2 (Snow Leopard).
Background
Mac OS X Console.app (Applications — Utilities — Console.app) is the standard interface to visualize all events registered by the operating system. It is simple yet functional, but not very friendly on displaying the entries and actually finding some useful information.
Splunk has a Mac OS X version that allows for a better and more complete monitoring of the system and syslog events, it can also be installed and configured as a forwarder to your central monitoring server. But it doesn’t need to be installed for just monitoring syslog generated events.
It is worth mentioning that in order to capture events forwarded by Mac OS X (or any other syslog forwarder, actually) you have to configure the Splunk server to:
(a.) receive data inputs on UDP port 514, and
(b.) allow incoming traffic through this port on all firewalls in place between the Mac OS X and the Splunk server — including the Windows Firewall, if that’s the case.
Its also worth noting that Mac OS X will simple forward all syslog data as a single source, not separating data by log file like the Universal Forwarder does.
Configuring the Mac OS X Syslogd
The next steps are to be executed in a Terminal window, the Mac OS X command line interface. The steps to configure the syslog forwarding are:
1. Open a Terminal window: Applications — Utilities — Terminal, or by using the Spotlight (shortcut: command+space > Terminal)
2. Before touching anything, make a backup copy of the syslog configuration file (syslogd.conf) into the /tmp folder:
3. Open the configuration file on your favorite editor (in this case, we’re using vi):
Use the ’sudo’ command to execute vi with ‘root’ privileges, otherwise you won’t be able to edit the file. Enter the password for the administrator account you are currently logged in as to continue.
4. Insert the following line anywhere in your syslogd.conf file, replacing the IP address 192.168.1.12 with the IP address of your Splunk server’s network interface.
Type ‘i’ in vi to enter the insert mode (text entry), then add the line above anywhere in the file.
‘’’IMPORTANT:’’’ The selector and action fields (see below) are separated by TABs. Do not use spaces.
The syslogd.conf file consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies the action to be taken if a message syslogd receives matches the selection criteria.
If you would like to forward your syslog output on a different port to the standard 514, you can do this by specifying a specific port for your destination; e.g.
results in your syslog data being forwarded to port 5140 instead of the usual port 514.
The Selectors function are encoded as a Facility.Level. The line above is basically telling the Mac OS X syslog daemon to forward a copy of all (*.*) events to the syslog server listening on the IP address 192.168.1.12. If you don’t want to send all events, you can filter them out by setting a different level — for instance, you can replace the ‘*.*’ with ‘*.notice’. Check out the syslogd.conf and the syslog manual pages for all the options.
5. Save and Exit: Press ‘ESC’ to exit insert mode, and save the file by typing ’:wq ’. If you don’t want to save it now, type ’:q!‘ to exit vi without saving and start over.
6. Restart the ‘syslogd’ service: But before doing so, check if it’s running by typing:
The following commands restart the service. Enter your password one more time if necessary.
Check if the service was really shut down and restarted by typing the same command again. The counter should have been reset and the PID (5070 in the example above) should be a different one.
You can use ’tcpdump’ to verify that the events are being forwarded to the remote server. Use the command ’ifconfig’ to get the name of the Mac OS X network interface connected to the same IP network segment of the Splunk server and use it as a filter for ’tcpdump’. In this case, the interface name is ‘en1’:
To log an event — open a new Terminal window on Mac OS X and use the ’logger’ command.
If tcpdump doesn’t report the Testing message, first double check the tcpdump arguments then review the configuration and check if there is connectivity between the Mac OS X station and the Splunk server.
Lastly, check that UDP/514 traffic is allowed through any firewalls.
Worst case, restore your backup copy from the /tmp folder and repeat the process.
Источник
syslogd
Apple System Log server (ASL)
ASLManager log file manager
syslogd [-d ] [-D ] [-m mark_interval ]
[-c log_cutoff ] [-l lib_path ] [-db_max size ]
[-utmp_ttl time ] [-fs_ttl time ] [-mps_limit quota ]
[-dup_delay time ] [-module_name <0|1>]
The syslogd server receives and processes log messages. Several modules receive input messages through various channels, including UNIX domain sockets associated with the syslog, asl, and kernel printf APIs, and optionally on a UDP socket(514) from network clients.
Comprised of asl APIs, a new syslogd server, syslog commandline utility, and a data store file manager: aslmanager .
Log messages are retained in a ‘data store’, subject to automatic archival, and input filtering, to simplify the task of locating log messages and to facilitate browsing and searching.
syslogd is started by launchd using /System/Library/LaunchDaemons/com.apple.syslogd.plist
| -d | debugging output to STDERR. Following example after Displayed by tail -f /var/log/syslogderr
| |
| -D | Start as a daemon. syslogd forks and the child process becomes a daemon. | |
| -m mm | minutes between —mark— messages used to indicate that syslogd was alive. Default: 20 minutes. If not specified: Disabled i.e. mm is 0. | |
| -c log_cutoff | Cutoff filter for log priorities for messages to be retained in the log message data store, between 0 and 7, corresponding to log priorities: 00)LOG_EMERG or ASL_LEVEL_EMERG … 07)LOG_DEBUG or ASL_LEVEL_DEBU as defined in the syslog(3) and asl(3) header files. Received messages with a priority or level value greater than the cutoff will not be saved in the data store. Default: allow all. value may be adjusted while running using the syslog command-line utility. See the syslog(1) manual. | |
| -l plug_path | alternate path for loading plug-in modules. Default: /usr/lib/asl . | |
| -db_max bbb | limit, in bytes, for files in the data store. Default 25MB Files are closed upon reaching the maximum size, and a new file is opened for subsequent messages. | |
| -utmp_ttl sss | time-to-live in seconds for messages used by utmp, wtmp , and lastlog . Default 31,622,400 seconds (approximately 1 year). If archival is enabled (see aslmanager ), these messages will be copied to an archive after the regular time-to-live interval, but will persist in the data store until their own expiry time. | |
| -fs_ttl sss | time-to-live in seconds for filesystem error messages generated by the kernel. Default: is 31,622,400 seconds (approximately 1 year). If archival is enabled, these messages will be copied to an archive after the regular time-to- live interval but will persist in the data store until their own expiry time. | |
| -mps_limit mm | messages per second, per-process, excess are ignored. An error message is logged on behalf of the limited process, stating that its message quota has been exceeded, and that remaining messages for the current second will be discarded. Default: 500 messages per second per process. of 0 turns off the quota mechanism. | |
| -dup_delay sss | seconds to delay for coalescing duplicate message in log files. If a process logs multiple messages with the same text, syslogd will wait for sss to coalesce duplicates with a message similar to: May 7 12:34:56: — last message repeated 17 times — Default: 30, 0 disables coalescing. | |
| -asl_in 0|1 | receives log messages on the UNIX domain socket associated with the asl API, disabled using -asl_in 0 , Initially enabled. | |
| -bsd_in 0|1 | receives log messages on the UNIX domain socket associated with the syslog API. disabled using -bsd_in 0 , normally enabled. | |
| -klog_in 0|1 | receives log messages on the UNIX domain socket associated with the kernel logging API, disabled using -klog_in 0 , Initially enabled. | |
| -udp_in 0|1 | receives log messages on the UDP socket associated with the Internet syslog message protocol, normally enabled, but inactive. UDP sockets are managed by launched , and configured in the syslogd configuration file /System/Library/LaunchDaemons/com.apple.syslogd.plist .reformated ed By default , launchd does not open any sockets for the syslog UDP service, so no sockets are provided to udp_in module. If no sockets are provided, the module remains inactive. disabled using -udp_in 0 . | |
| -bsd_out | This module exists for backward compatibility Use of the syslog(1) and asl(3) search APIs over the use of the log files that are specified in /etc/syslog.conf . Future versions of Mac OS will move functions that are currently handled by bsd_out to asl_action . Acts on messages according to the rules in /etc/syslog.conf . | |
| acts on message according to the rules specified in /etc/asl.conf . See asl.conf |
syslogd reinitializes in response to a HUP signal.
MESSAGE EXPIRY AND ARCHIVAL
DATA STORE SECURITY
Clients may use any value for the facility .
Attemptys by non-UID 0 processes to specify facility prefix of com.apple.system will be logged with facility user
FILES
/etc/syslog.conf bsd_out module configuration file
/etc/asl.conf asl_action module configuration file
/var/run/syslog.pid process ID file
/var/run/log name of the UNIX domain datagram log socket
/dev/klog kernel log device
/var/log/asl data store directory, (notice odd naming:: file from Dec 25 2009 called bb2012.12.31.…)
/var/log/asl.archive default archive directory
/etc/asl.conf syslogd reads the asl.conf file at startup and when a HUP signal is received .
aslmanager daemon reads the file when it starts.
See the ASLMANAGER parameter settings section below for details on those Settings which override command-line options and query action rules that trigger actions when messages match
Parameter Settings
begin with = and are of the form:
= parameter_name value .
| debug 0|1 [ ffff ] | option file name debug messages are written to that file. |
| cutoff n | ASL data store cutoff level, 0 to 7 default: 7 allowing any message that matches a «store» action (see QUERY-ACTION RULES below) to be saved. A lower value will prevent messages with log priority levels numerically greater that the specified cutoff from being saved |
| mark_time ss | time interval for the mark facility. default 0 seconds, which indicates that mark messages are not generated. |
| dup_delay ss | maximum time that the bsd_out module will allow before writing a «last message repeated times» message in a log file specified in /etc/syslog.conf. default: 30 seconds. |
| utmp_ttl ssss | time-to-live by utmp, wtmp, and lastlog subsystems. default: 31622400 seconds (approximately 1 year). |
| fs_ttl sss | time-to-live for filesystem error messages generated by the kernel. default: 31622400 seconds (approximately 1 year). |
| mps_limit nnn | per-process message per second quota. default: 500. 0 disables the quota mechanism. |
| for individual files in the ASL data store. default: 25,600,000 bytes. |
QUERY-ACTION RULES
For example:
? [= Sender sname] [
| Queries comprise one or more message matching components, each of which has the form: | |
| OP is a comparison operator: | T true (always matches), = equal, ! not equal, > greater than, >= greater than or equal , less than, less than or equal can be preceded by modifiers: |
| KEY and VAL are from the message . | |
| For example [= Sender local1 ] matches any message with key=»Sender» and val=»local1 «. The query matches any message with key=Color and val beginning with the letters GR, Gr, gr, or gR ( C meaning casefold, A meaning prefix). The example query : matches any message from «mail» with a level numerically less than 3 (i.e. more important than notice ) text values for levels may be emergency , alert , critical , error , warning , notice , info , or debug T useful to test for the presence of a particular key. [T Flavor] Will match any message that has a «Flavor» key, regardless of its value. | |
| notify key | post a notification with notify_post(). |
| Sets read access controls for messages that match the associated query pattern. restricting read access to matching messages . | |
| store [ fff ] | save matching messages in: the ASL data store, or in a separate log message file fff . A separate data store file may be accessed using the syslog command line utility. A new file will be created if one does not exist with the UID, GID, and mode «uid=UUU», «gid=GGG», and «mode=0MMM». |
| matching messages to be stored in a log message data store file in an existing directory. files are named yyyy.mm.dd. asl «exclude_asldb», «uid=UUU», «gid=GGG», and «mode=0MMM» | |
| broadcast constant | write the text of matching messages or msg to all terminal windows. |
| ignore | message is ignored. |
| 5/19/13 | previously |
AccountPolicyHelper, Accounts, CoreDuetAdmissionControl, MessageTracer, authd, authkit.osx.asl, awdd, callhistory.asl.conf, cdscheduler, cloudd, clouddocs, commerce.asl, contacts.ContactsAutocomplete, corecdp.osx.asl, corespotlight, eventmonitor, family.asl, ical, icloud.FindMyDevice, icloud.fmfd, install, iokit.power, mail, mobileme.fmf1, mobileme.fmf1.internal, networking.symptoms, performance, secinitd, securityd, xpc.activity reformatted by ed
See: linux syslogd
syslog, logger(1), syslog(3), syslog.conf,asl.conf(5) (5), asl(3)
Forward messages Use sudo tcpdump -i en1 host 192.168.1.12 and udp port 514 to verify log entries are being forwarded.
Источник
