HOWTO make a Syslog Server (syslogd) for Unix/Linux, running under Mac OSX 10.4 Tiger. A step by step Manual.
1. Activate your syslogd for incoming syslogs from external Network-Components such as Router, FireWall, Switches oder Servers.

With the Terminal we modify the startup-options for syslogd (/System/Library/LaunchDaemons/com.apple.syslogd.plist)

First we make a backup:

sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist com.apple.syslogd.plist.bak

with pico (or vi or other editor) open the com.apple.syslogd.plist file:

sudo pico /System/Library/LaunchDaemons/com.apple.syslogd.plist

Search for:

<string>/usr/sbin/syslogd</string>

type in directly below:

<string>-u</string>

save (ctrl-o) and quit pico (ctrl-x)

This tells the process on UDP Port 514 to receive data external over Network. Open the firewall, if activated for this port.

Reboot your Mac, or kill and restart the process with the new startoptions:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

2. Restore the new Funktions after a cron-restart

Stop and Start must in a cron-file, startet from Script /etc/periodic/daily/500.daily automaticly

sudo pico /etc/daily.local

Type in:

launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sleep 1
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

save (ctrl-o) and quit pico (ctrl-x)

3. Create the logfies and set the targets for incoming logdata

Any external Device shoudt write in his own logfie, we create these with:

sudo touch /var/log/mydevice.log (i.e. firewall_home.log, router_log, switch_log)

Let´s´mak a backup from the preference-file for the syslogd, and tell him what will be logged:

sudo cp /etc/syslog.conf syslog.conf.bak
sudo pico /etc/syslog.conf

Fill in on the end of the conf-file:

local1.*                                                /var/log/mydevice.log (i.e. firewall_home.log)

save (ctrl-o) and quit pico (ctrl-x)

You can use local1 to local7, after the dot stands the filter, * for all, with i.e. err / emerg / notice / info / crit /alert you filter the logs before saving them. Two tabs and then the path to the logfile.

The external Device hast to know to wich syslog server and in wich local-number to send his log. Set up the IP Adress of your new syslogserver and local1 to local7 suitably to the settings in yout syslog.conf. Save Settings, sometimes a restart of the Device is neccesarry.

4. Logrotation Setup

In the script /etc/periodic/weekly/500.weekly the new logfiles has to inserted for logrotation. This script kills the syslogd, we make a newstart with our new parameters. Make a bigger window size for your Terminal-Window:

sudo pico /etc/periodic/weekly/500.weekly

Search for

cd /var/log
for i in ftp.log lookupd.log lpr.log mail.log netinfo.log hwmond.log ipfw.log ppp.log etc...

fill in your own new logfile-names, save and exit pico

These Script opens on the end of the cronjob /etc/weekly.local, here we make a new start of our syslogd:

sudo cp /etc/daily.local /etc/weekly.local

5. Look up your Logfiles

Do it by terminal (tail -f /var/log/mydevice.log)
or take a look via Finder with the Application "Console".


CDX | Netzwerk Service | Apple Service | Computer Service