syslog -s [-r host] [-l †level] message …
syslog -s [-r host] -k key val [key val] …
syslog -C
syslog [-f file …] [-d dir …] [-B] [-w [n]] [-F format] [-T format] [-E format] expression
syslog [-f file …] [-d dir …] -x file expression
syslog -c process [mask]
syslog -config [options]
syslog -module [name [action]]
syslog -help
Command-line utility for tasks of the Apple System Log (ASL) facility:
sending, viewing , copying messages to ASL format data store (/var/log/asl
) and controlling
the flow of messages from client processes.
Without arguments, syslog outputs all messages, formated and encoded, from the active data store to standard output.
The syslogd daemon filters and saves messages to files as specified in /etc/syslog.conf
Messages may be read-access controlled for specific users. See Expressions
Sending Messages | ||||||||||||||||||||||||||||||||||
-s | sends a message
-r host |
Non-printable and control characters are encoded by default. Messages containg tabs and newlines become ugly.
Messages are output in a format similar to
system.log
with the priority between angle-brackets < >
.
fmt
may be:
bsd
Format used for /var/log/system.log
. std
Standard (default) format. Similar to "bsd", includes priority .
xml
an XML property list. Each message is represented as a dictionary in a array.
Dictionary keys represent message keys. Dictionary values are strings.
raw
outputs the complete message structure. Each key/value pair is enclosed in square brackets. Embedded closing
brackets and white space are escaped. Time stamps are output as seconds since the epoch or
$Name
, $(Name)
, or
$((Name)(format))
. which will be
expanded to the value associated with the named key. For example, the command:syslog -F '$Time $Host $(Sender)[$(PID)] <$((Level)(str))>: $Message'
n
digits of sub-second times from TimeNanoSec key in the ASL message or syslog -F std.4
syslog -F '$((Time)(utc.6)) $Host $(Sender)[$(PID)] <$((Level)(str))>: $Message
produces output similar to std
.
$((Level)(str)) |
If a custom format is not used Time values are generally converted to local time,
The -T
may be used to control the format used for timestamps.
The value of format may be :
sec or raw |
Each of the formats may be followed by a dot and an integer to display subsecond time values. For example:
syslog -T bsd.3
The -u
is a short form for -
T utc.
Text in the "std", "bsd", and "raw" formats is encoded as it is by the vis
with -c
.
`Newlines and tabs are also encoded as "\n" and "\t" respectively.
In "raw" format, spaces in log message keys are
encoded as "\s" and embedded brackets are escaped to output as "\[" and "\]".
XML requires that keys are valid UTF8 strings otherwise they are ignored, and the value is not output.
Values of UTF8 are output as strings.
Ampersand, less than, greater than, quotation mark, and
apostrophe characters are encoded according to XML conventions.
control characters are encoded as "NN;" where NN is the hexadecimal value.
Values that do not contain legal UTF8 are encoded in base-64 and printed as data objects.
The -E
explicitly controls the text encoding. The value of format may be one of the :
The intent of the "safe" encoding is to prevent obvious message spoofing or damage. The appearance of messages printed will depend on terminal settings and UTF-8 string handling. It is possible that messages printed using the "safe" or "none" options may be garbled or subject to manipulation through the use of control characters and control sequences embedded in user-supplied message text. The "vis" encoding should be used to view messages if there is any suspicion that message text may have been used to manipulate the printed representation.
If no further command line options are specified, syslog displays all messages, or copies all messages to a data store file. However, an expression may be specified using the -k and -o options.
<>h3>EXPRESSIONS Expressions specify matching criteria. They may be used to search for messages of interest.
A simple expression has the form:
-k key [[op] val]
The -k option may be followed by one, two, or three arguments. A single argument causes a match to occur if a message has the specified key, regardless of value. If two arguments are specified, a match occurs when a message has exactly the specified value for a given key. For example, to find all messages sent by the portmap process:
syslog -k Sender portmapNote that the -C option is treated as an alias for the expression:
-k Facility com.apple.consoleThis provides a quick way to search for console messages.
If three arguments are given, they are of the form -k key operation value. syslog supports the following matching operators:
eq equal ne not equal gt greater than ge greater than or equal to lt less than le less than or equal toAdditionally, the operator may be preceded by one or more of the following modifiers:
C case-fold R regular expression (see regex(3)) S substring A prefix Z suffix N numeric comparison More complex search expressions may be built by combining two or more simple expressions. A complex expression that has more than one "-k key [[op] val]" term matches a message if all of the key-value operations match. Logically, the result is an AND of all of key-value operations. For example:
syslog -k Sender portmap -k Time ge -2h finds all messages sent by portmap in the last 2 hours (-2h means "two hours ago").
The -o option may be used to build even more complex searches by providing an OR operation. If two or more sub- expressions are given, separated by -o options, then a match occurs is a message matches any of the sub-expressions. For example, to find all messages which have either a "Sender" value of "portmap" or that have a numeric priority level of 4 or less:
syslog -k Sender portmap -o -k Level Nle 4 Log priority levels are internally handled as an integer value between 0 and 7. Level values in expressions may either be given as integers, or as string equivalents. See the table string values in the SENDING MESSAGES section for details. The example query above could also be specified with the command:
syslog -k Sender portmap -o -k Level Nle warningA special convention exists for matching time stamps. An unsigned integer value is regarded as the given number of seconds since 0 hours, 0 minutes, 0 seconds, January 1, 1970, Coordinated Universal Time. An negative integer value is regarded as the given number of seconds before the current time. For example, to find all messages of Error priority level (3) or less which were logged in the last 30 seconds:
syslog -k Level Nle error -k Time ge -30 a relative time value may be optionally followed by one of the characters "s", "m", "h", "d", or "w" to specify seconds, minutes, hours, days, or weeks respectively. Upper case may be used equivalently. A week is taken to be 7 complete days (i.e. 604800 seconds).
A global "master" filter mask is normally "off", meaning that it has no effect.
Master filter mask uses PID of 0
A value set for the master filter mask overrides the local filter mask for all processes.
Root access is required to set the master filter mask value.
Process filter mask uses PID or name
overrides the local and the master filter mask.
-c 0|PID|name |
/etc/asl.conf.
When the remote-control mechanism is
used to change the filter of a process, syslogd will save any messages received from that process until the remote-control filter is turned off.
-config flag | change configuration parameters temporarily,
For example, to temporarily disable the kernel message-per-second limit:
syslog -config mps_limit 0Only the superuser may change configuration parameters. |
-config reset |
/etc/asl.conf
represents the system's primary output module, and is given the name "com.apple.asl".
i# configuration file for syslogd and aslmanager ## # aslmanager logs > /var/log/asl/Logs/aslmanager external style=lcl-b ttl=2 # authpriv messages are root/admin readable ? [= Facility authpriv] access 0 80 # remoteauth critical, alert, and emergency messages are root/admin readable ? [= Facility remoteauth] [<= Level critical] access 0 80 # broadcast emergency messages ? [= Level emergency] broadcast # save kernel [PID 0] and launchd [PID 1] messages ? [<= PID 1] store # ignore "internal" facility ? [= Facility internal] ignore # save everything from emergency to notice ? [<= Level notice] store # Rules for /var/log/system.log > system.log mode=0640 format=bsd rotate=seq compress file_max=5M all_max=50M ? [= Sender kernel] file system.log ? [<= Level notice] file system.log ? [= Facility auth] [<= Level info] file system.log ? [= Facility authpriv] [<= Level info] file system.log # Facility com.apple.alf.logging gets saved in appfirewall.log ? [= Facility com.apple.alf.logging] file appfirewall.log file_max=5M all_max=50MOther modules are read from files in
/etc/asl
, file names serve as module names. com.apple.iokit.power com.apple.MessageTracer com.apple.authd com.apple.login.guest com.apple.cdscheduler com.apple.mail com.apple.coreduetd com.apple.mkb.internal com.apple.eventmonitor com.apple.networking.boringssl com.apple.install com.apple.performance com.apple.mkb com.apple.contacts.ContactsAutocomplete
-module
[name] syslog outputs
all loaded ASL Output Modules, files and ASL store directories, configuration rules, and current enabled or disabled status.
Sample
enable disable |
The name '*' (including the quotes ) may be used to change the status of all Output Modules,
excluding the primary com.apple.asl module which may be enabled or disabled be specificing the name.Only the superuser (root) may enable or disable a module. syslog -module name enable [ |
checkpoint |
SEE log(1), logger(1), asl(3), syslog(3), asl.conf(5), syslogd(8)