How do you enable syslogd to accept incoming connections on Snow Leopard from remote loggers?

macos mac logging osx-server syslogd

Solution 1:

I haven't tried this, but I looked in the plist for syslogd (/System/Library/LaunchDaemons/com.apple.syslogd.plist) and see this part commented out:

<!--
        Un-comment the following lines to enable the network syslog protocol listener.
-->
<!--
        <key>NetworkListener</key>
        <dict>
                <key>SockServiceName</key>
                <string>syslog</string>
                <key>SockType</key>
                <string>dgram</string>
        </dict>
-->

Remove the comments and then reload the service:

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

and you're likely on your way.

Answer to your secondary question -- newsyslog is similar to logrotate often found on linux systems. man newsyslog (or online) will tell you more.

As installed with Snow Leopard, it is run every 30 minutes by launchd per this bit in its plist:

<key>StartCalendarInterval</key>
<dict>
    <key>Minute</key>
    <integer>30</integer>
</dict>

Solution 2:

Note that if you're trying to do this on a Snow Leopard Server machine (at least with 10.6.4), you'll find that there is no commented-out section in /System/Library/LaunchDaemons/com.apple.syslogd.plist (and that the plist file is stored in a binary format).

However, copying and pasting the key that Doug quotes above will do the trick, although first you will need to convert the format of the file to text thusly:

sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist

...and you should probably convert it back afterwards (conversions happen in situ):

sudo plutil -convert binary1 /System/Library/LaunchDaemons/com.apple.syslogd.plist

...then reload the launchd daemon per Doug's instructions.

Afterwards the full plist file should read as follows:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnableTransactions</key>
    <true/>
    <key>HopefullyExitsLast</key>
    <true/>
    <key>Label</key>
    <string>com.apple.syslogd</string>
    <key>MachServices</key>
    <dict>
        <key>com.apple.system.logger</key>
        <true/>
    </dict>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/syslogd</string>
    </array>
    <key>Sockets</key>
    <dict>
        <key>AppleSystemLogger</key>
        <dict>
            <key>SockPathMode</key>
            <integer>438</integer>
            <key>SockPathName</key>
            <string>/var/run/asl_input</string>
        </dict>
        <key>BSDSystemLogger</key>
        <dict>
            <key>SockPathMode</key>
            <integer>438</integer>
            <key>SockPathName</key>
            <string>/var/run/syslog</string>
            <key>SockType</key>
            <string>dgram</string>
        </dict>
        <key>NetworkListener</key>
        <dict>
            <key>SockServiceName</key>
            <string>syslog</string>
            <key>SockType</key>
            <string>dgram</string>
        </dict>
    </dict>
</dict>
</plist>

One more note: if, like me, you want to send your AirPort base stations' (and/or Time Capsules') syslog outputs to your server, they use facility 0, which cannot be changed. This means that they will be automatically logged to /var/log/appfirewall.log because of the following default entry in /etc/syslog.conf:

local0.*                                               /var/log/appfirewall.log

On the Server version of the OS, you can safely change the filename to e.g. AirPort.log once you've issued the following command:

sudo touch /var/log/AirPort.log

...since Apple's Application Firewall (socketfilterfw) is off by default (and should remain off on a server—ipfw is all you really want). I'm not sure if it's possible to reconfigure socketfilterfw to use a different syslog facility.

Solution 3:

Another method of enabling network access to syslogd on Snow Leopard is using the command line program PlistBuddy,

sudo /usr/libexec/PlistBuddy /System/Library/LaunchDaemons/com.apple.syslogd.plist
add :Sockets:NetworkListener dict
add :Sockets:NetworkListener:SockServiceName string syslog
add :Sockets:NetworkListener:SockType string dgram
save
quit

And then restart the daemon,

sudo launchctl unload com.apple.syslogd.plist 
sudo launchctl load com.apple.syslogd.plist

You can use lsof to check that syslogd is now listening on the standard syslog port, 514,

$ sudo lsof -i:514
COMMAND   PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
launchd     1 root   44u  IPv6 0x0e459370      0t0  UDP *:syslog
launchd     1 root   56u  IPv4 0x0f7a9ef0      0t0  UDP *:syslog
syslogd 24319 root    5u  IPv6 0x0e459370      0t0  UDP *:syslog
syslogd 24319 root    6u  IPv4 0x0f7a9ef0      0t0  UDP *:syslog

Related

Converting tabs to spaces in many files
How to convert key pair from binary file to text file?
limits.conf to set memory limits
How to show closed ports in NMap?
Scroll bar for vim(curses-based one, not gvim)?
Linux: zip greater than 4Gb
Manipulate JSON in bash
Advanced dynamic routing with external program
wget receives the file and hangs [closed]
How can I stop ZooKeeper on Ubuntu?
Is there a linux monitoring utility for Dell PERC H700?
Allow Active Directory users to disable datetime sync