Apple Service Apple Reparatur PC Mac Service - HOWTO make a Syslog-Server / syslogd

HOWTO make a Syslog-Server / syslogd

HOWTO make a Syslog Server (syslogd) for Unix/Linux, running under Mac OSX 10.4 Tiger. A step by step Manual.
1. Activate your syslogd for incoming syslogs from external Network-Components such as Router, FireWall, Switches oder Servers.

With the Terminal we modify the startup-options for syslogd (/System/Library/LaunchDaemons/com.apple.syslogd.plist)

First we make a backup:

sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist com.apple.syslogd.plist.bak

with pico (or vi or other editor) open the com.apple.syslogd.plist file:

sudo pico /System/Library/LaunchDaemons/com.apple.syslogd.plist

Search for:

<string>/usr/sbin/syslogd</string>

type in directly below:

<string>-u</string>

save (ctrl-o) and quit pico (ctrl-x)

This tells the process on UDP Port 514 to receive data external over Network. Open the firewall, if activated for this port.

Reboot your Mac, or kill and restart the process with the new startoptions:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

2. Restore the new Funktions after a cron-restart

Stop and Start must in a cron-file, startet from Script /etc/periodic/daily/500.daily automaticly

sudo pico /etc/daily.local

Type in:

launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

save (ctrl-o) and quit pico (ctrl-x)

3. Create the logfies and set the targets for incoming logdata

Any external Device shoudt write in his own logfie, we create these with:

sudo touch /var/log/mydevice.log (i.e. firewall_home.log, router_log, switch_log)

Let´s´mak a backup from the preference-file for the syslogd, and tell him what will be logged:

sudo cp /etc/syslog.conf syslog.conf.bak
sudo pico /etc/syslog.conf

Fill in on the end of the conf-file:

local1.* /var/log/mydevice.log (i.e. firewall_home.log)

save (ctrl-o) and quit pico (ctrl-x)

You can use local1 to local7, after the dot stands the filter, * for all, with i.e. err / emerg / notice / info / crit /alert you filter the logs before saving them. Two tabs and then the path to the logfile.

The external Device hast to know to wich syslog server and in wich local-number to send his log. Set up the IP Adress of your new syslogserver and local1 to local7 suitably to the settings in yout syslog.conf. Save Settings, sometimes a restart of the Device is neccesarry.

4. Logrotation Setup

In the script /etc/periodic/weekly/500.weekly the new logfiles has to inserted for logrotation. This script kills the syslogd, we make a newstart with our new parameters. Make a bigger window size for your Terminal-Window:

sudo pico /etc/periodic/weekly/500.weekly

Search for

cd /var/log
for i in ftp.log lookupd.log lpr.log mail.log netinfo.log hwmond.log ipfw.log ppp.log etc...

fill in your own new logfile-names, save and exit pico

These Script opens on the end of the cronjob /etc/weekly.local, here we make a new start of our syslogd:

sudo cp /etc/daily.local /etc/weekly.local

5. Look up your Logfiles

Do it by terminal (tail -f /var/log/mydevice.log)
or take a look via Finder with the Application "Console".

CDX | Netzwerk Service | Apple Service | Computer Service

» Kommentar schreiben

Nur registrierte Benutzer können Kommentare schreiben.
Bitte melden Sie sich an oder registrieren Sie sich.

» 3 Kommentare

3Kommentar
am Dienstag, 30. September 2008 12:27von admin

What should I write to
Syslog Server IP Address to specify the queue (local1)

If you mean your Router or Switch or whatever - take the IP of your Syslog-Server (Mac).

2Kommentar
am Dienstag, 30. September 2008 11:58von meles

Hello Gast!

What should I write to
Syslog Server IP Address to specify the queue (local1)?

Thx

Csaba

1Kommentar
am Donnerstag, 28. August 2008 13:09von ~ M ~

. . .

Many Thanks. :o)

(As per tip from Kerry on tomshardware) I just needed to use the 'Facility : user' :

user.* ... /var/log/804hv.log

rather than your :

local1.* ...

and the D-Link DI-804HV VPN Broadband Router messages are now appearing on my Tiger 10.4.9 machine ... shame D-Link's documentation and help are both so poor.

But to your good selves, and to that 'Kerry,' it's a big THANK YOU! :D

M. :o)

...

< zurück		weiter >