How do you enable syslogd to accept incoming connections on Snow Leopard from remote loggers?
Solution 1:
I haven't tried this, but I looked in the plist for syslogd (/System/Library/LaunchDaemons/com.apple.syslogd.plist) and see this part commented out:
<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->
<!--
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
-->
Remove the comments and then reload the service:
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
and you're likely on your way.
Answer to your secondary question -- newsyslog
is similar to logrotate often found on linux systems. man newsyslog
(or online) will tell you more.
As installed with Snow Leopard, it is run every 30 minutes by launchd
per this bit in its plist:
<key>StartCalendarInterval</key>
<dict>
<key>Minute</key>
<integer>30</integer>
</dict>
Solution 2:
Note that if you're trying to do this on a Snow Leopard Server machine (at least with 10.6.4), you'll find that there is no commented-out section in /System/Library/LaunchDaemons/com.apple.syslogd.plist (and that the plist file is stored in a binary format).
However, copying and pasting the key that Doug quotes above will do the trick, although first you will need to convert the format of the file to text thusly:
sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist
...and you should probably convert it back afterwards (conversions happen in situ):
sudo plutil -convert binary1 /System/Library/LaunchDaemons/com.apple.syslogd.plist
...then reload the launchd daemon per Doug's instructions.
Afterwards the full plist file should read as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnableTransactions</key>
<true/>
<key>HopefullyExitsLast</key>
<true/>
<key>Label</key>
<string>com.apple.syslogd</string>
<key>MachServices</key>
<dict>
<key>com.apple.system.logger</key>
<true/>
</dict>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/syslogd</string>
</array>
<key>Sockets</key>
<dict>
<key>AppleSystemLogger</key>
<dict>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/asl_input</string>
</dict>
<key>BSDSystemLogger</key>
<dict>
<key>SockPathMode</key>
<integer>438</integer>
<key>SockPathName</key>
<string>/var/run/syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>
One more note: if, like me, you want to send your AirPort base stations' (and/or Time Capsules') syslog outputs to your server, they use facility 0, which cannot be changed. This means that they will be automatically logged to /var/log/appfirewall.log because of the following default entry in /etc/syslog.conf:
local0.* /var/log/appfirewall.log
On the Server version of the OS, you can safely change the filename to e.g. AirPort.log once you've issued the following command:
sudo touch /var/log/AirPort.log
...since Apple's Application Firewall (socketfilterfw) is off by default (and should remain off on a server—ipfw is all you really want). I'm not sure if it's possible to reconfigure socketfilterfw to use a different syslog facility.
Solution 3:
Another method of enabling network access to syslogd on Snow Leopard is using the command line program PlistBuddy,
sudo /usr/libexec/PlistBuddy /System/Library/LaunchDaemons/com.apple.syslogd.plist
add :Sockets:NetworkListener dict
add :Sockets:NetworkListener:SockServiceName string syslog
add :Sockets:NetworkListener:SockType string dgram
save
quit
And then restart the daemon,
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist
You can use lsof to check that syslogd is now listening on the standard syslog port, 514,
$ sudo lsof -i:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root 44u IPv6 0x0e459370 0t0 UDP *:syslog
launchd 1 root 56u IPv4 0x0f7a9ef0 0t0 UDP *:syslog
syslogd 24319 root 5u IPv6 0x0e459370 0t0 UDP *:syslog
syslogd 24319 root 6u IPv4 0x0f7a9ef0 0t0 UDP *:syslog