Max OS X version

syslog

Sends and Reads messages of the system's log message data store

controls message filters displays configuration and modules

Sending a message to the syslog daemon

syslog -s message[-r host ] [-l level ]

syslog -s -k key value

-ssend a message. Also done by logger
-r host remote syslog server (see syslog.conf)
-l level set the log level (priority) of the message 1-7 or A, alert
    Emergency (0)       note counter-intuitive Emergency has a level less than Debug.
    Alert      (1)
    Critical   (2)       
    Error     (3)
    Warning    (4)       
    Notice     (5)       
    Info       (6)     
    Debug      (7) 
Accepts one or two leading characters for a level specification.
Use Em for Emergency and Er for Error.

Examples:

syslog -s -l Er "Cannot mount /dev/disk0s14"
produces entry:(as displayed by kiwi )
2012-03-30 21:33:24 Kernel.Emerg smackerPro.germans syslog[71032]:Cannot mount /dev/disk0s14

syslog -s -r DaLogger@example.com -l Em -k Facility eq mail "sent trhough LAN -l Em"
produces entry:(as displayed by kiwi )
O2012-03-30 21:51:12 Local7.Debug smackerPro.germans 107 [Sender syslog] [Level 0] [Facility eq] [mail sent trhough LAN -l Em] [Time 1333158663] [Host smackerPro]<000>

-k key val
  [key val]
structured message will be sent with keys and values as arguments.
A key or value with embedded white space must be enclosed in quotes.

Reading messages

syslog [-w] [-F format] [-u] expression

With no arguments, syslog displays all the messages in the data store with level < INFO.
note counter-intuitive Error has a level less than info.
(i.e. notices, warnings, errors, criticals, alerts and emergencies ).

-w displays last 36 messages and waits for new messages, ( similar to watching a log file using: tail -f /var/log/system.log
-u UTC is used to display time stamps
-F format
  • std Standard (default) format. simlar to bsd, includes the message priority level
    Sat Jul 10 18:29:24 smackerpro login[20636] <Notice>: USER_PROCESS: 20636 ttys006
    Sat Jul 10 18:41:17 smackerpro Activity Monitor[209] 
            <Error>: kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface
    Sat Jul 10 18:41:17 smackerpro \[0x0-0xa00a\].com.apple.ActivityMonitor[209] 
            <Notice>: Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\] <Error>: 
        kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface
    
  • bsd Format used by the syslogd daemon for system log files, e.g. /var/log/system.log.
  • raw Prints the complete message structure.
    Each key/value pair is enclosed in square brackets. Embedded closing brackets and white space are escaped.
    Time stamps are printed using UTC.

    [Time 1278800964] [Host smackerpro] [Sender login] [PID 20636] [UID 0] [GID 20] [Level 5]
     [Message USER_PROCESS: 20636 ttys006]
     [ASLMessageID 283631] [TimeNanoSec 683290000] [Facility com.apple.system.lastlog]
     [ut_user dgerman] [ut_id s006] [ut_line ttys006] [ut_pid 20636] [ut_type 7] [ut_tv.tv_sec 1278800964] [ut_tv.tv_usec 682818]
     [ASLExpireTime 1310423364]
    [Time 1278801677] [Host smackerpro] [Sender Activity Monitor] [PID 209] [UID 501] [GID 20] [Level 3]
      [Message kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface]
     [ASLMessageID 283632] [TimeNanoSec 350398000] [Facility com.apple.coregraphics]
    [Time 1278801677] [Host smackerpro] [Sender \[0x0-0xa00a\].com.apple.ActivityMonitor] [PID 209] [UID 501] [GID 20] [Level 5]
                [Message Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\] <Error>:
              kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface]
     [ASLMessageID 283633] [TimeNanoSec 363177000] [ReadUID 501] [Facility com.apple.console] [Session Aqua]

Custom format strings may include variables of the form $Name (or $(Name) if the key is not delimited by whitespace) For example:

syslog -F '$Time $Host $(Sender)[$(PID)]: $Message'

produces output :

 May 26 01:43:51 smacker Software Update[19720]: __choice_su_visible returned wrong type (())
 May 26 14:56:10 localhost mDNSResponder-108.5 (May  9 2007 15[-1]: 08:01)[63]: starting
 May 26 14:56:18 localhost DirectoryService[80]: Launched version 2.1 (v353.6)
 May 26 14:56:22 localhost mDNSResponder[-1]: Adding browse domain local.
 May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003
 May 26 14:56:22 localhost configd[67]: initCardWithStoredPrefs failed.
 May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003 

-k
  • -k key message has the specified key, regardless of value.
  • -k key value message has exactly the specified value for the key.
  • -k key operator value
keys include: Time Sender Facility Level Host Pid Message (Case sensitive)

Expressions

Specify matching criteria to filter for messages of interest>

A simple expression is a list of one or more key/value pairs.

operators include:
eq  equal gt greater than lt less than
ne not equal    ge  greater than or equal to   le  less than or equal
 The operator may be preceded by:
A prefix S substring Z suffix
C case-fold
R regular expression (see regex(3))

N numeric comparison Neq, Nne, Ngt, Nle …

For example, to find messages send by portmap :

syslog -k Sender portmap
Messages containing could not:
syslog -k Message Seq "Could not"

Multiple simple expressions match a message if all of the key-value operations match, i.e. AND of all of key-value operations.

 syslog -k Sender com.apple.launchd      -k Level eq Emergency

-o separates simple expressions and provides an OR operation.

To find all messages which have either a Sender portmap or that have a numeric priority level of 4 or less:

syslog -k Sender portmap    -o    -k Level Nle 4
For matching time stamps: An negative integer is the number of seconds before the current time.
To find all messages of priority level 3 (error) or greater which were logged in the last 5 minutes ( 300 seconds):
syslog -k Level Ngt 3 -k Time ge -300
a relative time value may be optionally followed by s, m, h, d, or w to specify seconds, minutes, hours, days, or weeks. week is 7 complete days (i.e. 604800 seconds) i.e. not since Sunday.
An unsigned integer value is the number of seconds since epoch (i.e. 00:00:00 , January 1, 1970, Coordinated Universal Time.

-help

Filtering Controls

It appears , by inspection, as of 4/2/17 no processses have filters set

Clients of the "System Log Facility" (using either the asl or syslog interfaces) have a log filter mask which specifies if messages should be sent for each priority level.

syslog -c process [mask] [-s [on|off]] [-t [on|off ]]

process
pid
name
0 (for master flags)
must be currently running

> /usr/bin/syslog -c systemstats
Process 208 syslog settings: 0x00000000 OFF / 0x00 Off
mask any combination of p a c e w n i d
Emergency (Panic), Alert, Critical, Error, Warning, Notice, Info, Debug
a minus sign preceding a single letter means "up to" that level

use "-c process off" to deactivate current settings

-s ASL messages
-t Activity Tracing mesages

A value is set for the Master filter, overrides the local filter for all processes.

To display the setting of the Master filter mask:

        > /usr/bin/syslog -c 0
        Master settings: 0x00000000 OFF / 0x00 Off 
        > sudo /usr/bin/syslog -c 0 d -t on
        > /usr/bin/syslog -c 0
        Master settings: 0x00070080 ON  ASL TRACE / 0x80 Debug
The master filter may be unset with:
sudo /usr/bin/syslog -c 0 off
To disable Debug and Info messages ,
To set the master filter level to cause all processes to log messages from Emergency up to Debug:
sudo /usr/bin/syslog -c 0 -d
Another filter mask is specified for an individual process. If a per-process filter mask is set, it overrides both the local filter mask and the master filter mask.

The default data store filter mask saves messages with priority levels from Emergency to Notice (level 0 to 5). The level may be inspected using:

syslog -c syslogd
For example, to save messages with priority level Error or less in the data store:
syslog -c syslog -e
Errors include:
Unable to determine syslog settings for pid nnn needs root for this process (goes to stdout)
nnn: multiple processes found \n use pid to identify a process uniquely
    Use > /bin/ps -e | grep nnnn
Returns 0 if process is not running!

configuration display

syslog -config

flags:
debug 0
dbtype file
db_file_max 25600000
db_memory_max 256
db_memory_str_max 1024000
mps_limit 0
bsd_max_dup_time 30
mark_time 0
utmp_ttl 31622400
memory_size 0
memory_max 10240000
stats_interval 600
work_queue_count 0
asl_queue_count 0
bsd_queue_count 0
client_count 50
disaster_occurred 0
watchers_active 0
asl_action enabled
bsd_in enabled
bsd_out enabled
klog_in enabled
udp_in enabled
remote disabled
modules:
com.apple.asl enabled
com.apple.AccountPolicyHelper enabled
com.apple.applepushservice enabled
com.apple.authd enabled
com.apple.callhistory.asl.conf enabled
com.apple.cdscheduler enabled
com.apple.clouddocs enabled
com.apple.install enabled
com.apple.contacts.ContactsAutocomplete enabled
com.apple.contacts.ContactsUICore enabled
com.apple.coreaudio enabled
com.apple.CoreDuetAdmissionControl enabled
com.apple.coreduetd enabled
com.apple.eventmonitor enabled
com.apple.DuetHeuristic-BM enabled
com.apple.DuetHeuristic-BM-OSX enabled
com.apple.family.asl enabled
com.apple.icloud.fmfd enabled
com.apple.iokit.power enabled
com.apple.login.guest disabled
com.apple.mail enabled
com.apple.MessageTracer enabled
com.apple.mkb enabled
com.apple.mkb.internal disabled
com.apple.mobileme.fmf1 enabled
com.apple.mobileme.fmf1.internal enabled
com.apple.networking.networkextension disabled
com.apple.networking.networkextension.test enabled
com.apple.networking.NetworkStatistics disabled
com.apple.networking.symptoms disabled
com.apple.performance enabled
com.apple.secinitd enabled

module

syslog -module [name [enable 1|0] checkpoint [file]

with no name, outputs configuration for all ASL output modules
with name and no action, prints configuration for named ASL output module
supported actions - module name required, use '*' (with single quotes) for all modules:
˙ enables (or disables with 0) named module. does not apply to com.apple.asl when '*' is used
˙ checkpoints all files or specified file for named module


stats

syslog -stats [-n n] [-d path] [-v]

outputs usage statistics
-n n outputs stats for just the top n (e.g. top 10) senders
-d path reads the ASL database at the given path for statistics
-v verbose ([message_count total_data data_average] for 10 minute intervals)

 > /usr/bin/syslog -stats
sender: message_count (% of total) data_size
TOTAL: 36680 (100.00%) 20815221
logd: 8288 (22.65%) 2612376
trustd: 6526 (17.83%) 4065360
powerd: 3300 (9.02%) 2156544
diagnostics_agent: 2613 (7.14%) 1630512
com.apple.WebKit.Networking: 2481 (6.78%) 1548144 


help

syslog [-f file...] [-d path...] [-x file] [-w [N]] [-F format] [-nocompress] [-u] [-sort key1 [key2]] [-nsort key1 [key2]] [-k key [[op] val]]... [-o -k key [[op] val]] ...]...
   -f     read named file[s], rather than standard log message store.
   -d     read all file in named directory path, rather than standard log message store.
   -x     export to named ASL format file, rather than printing
   -w     watch data store (^C to quit)
          prints the last N matching lines (default 10) before waiting
          "-w all" prints all matching lines before waiting
          "-w boot" prints all matching lines since last system boot before waiting
   -F     output format may be "std", "raw", "bsd", or "xml"
          format may also be a string containing variables of the form
          $Key or $(Key) - use the latter for non-whitespace delimited variables
   -T     timestamp format may be "sec" (seconds), "utc" (UTC), or "local" (local timezone)
   -E     text encoding may be "vis", "safe", or "none"
   -nodc  no duplicate message compression
   -u     print timestamps using UTC (equivalent to "-T utc")
   -sort  sort messages using value for specified key1 (secondary sort by key2 if provided)
   -nsort numeric sort messages using value for specified key1 (secondary sort by key2 if provided)
   -k     key/value match
          if no operator or value is given, checks for the existence of the key
          if no operator is given, default is "eq"
   -B     only process log messages since last system boot
   -C     alias for "-k Facility com.apple.console"
   -o     begins a new query
          queries are 'OR'ed together








Seems to be deprecated in leu of newsyslog used by Mac OS to maintain system log files to manageable sizes.

PRUNING

The System Log facility saves received messages, subject to filtering criteria described in the FILTERING CONTROLS section, Pruning is required to prevent unlimited growth of the data store.

The syslogd daemon will prune the data store after it starts. See syslogd(8).

-p must be followed by an expression, messages that match the expression are deleted.

A daily pruning operation should be started by cron specified for Mac OSX 10.4 in /etc/periodic/daily/500.daily.

# Delete all messages after 7 days (-k Time lt -7d)
# Delete Warning (Level 4) and above after 3 days (-k Time lt -3d -k Level ge 4)
# Delete Info (Level 6) and above after 1 day (-k Time lt -1d -k Level ge 6)
syslog -p  -k Time lt -7d  -o  -k Time lt -3d -k Level ge 4  -o  -k Time lt -1d -k Level ge 6
5/20/13
com.apple.newsyslog.plist 
    Label com.apple.newsyslog
    ProgramArguments:/usr/sbin/newsyslog
    LowPriorityIO: true
    Nice 1
    StartCalendarInterval:Minute 30 

see

logger, asl(AppleSystemLogger), syslog(3),
syslogd, aslmanager BalaBit syslog-ng (new generation) filters not only facility.level, txt | database, TCP|UDP
php-syslog-ng,
splunk
Simple log watcher takes action on matching event.
umich.edu/.../mac/software/SuperLogs.dmg.
Apple System Log server (ASL) deamon Mac OS X October 18, 2004

com.apple.syslogd.plist

From /System/Library/LaunchDaemons reformatted by ed

/System/Library/LaunchDaemons > plutil  -p  com.apple.syslogd.plist
  Label  com.apple.syslogd
  JetsamProperties  { JetsamPriority  -49 JetsamMemoryLimit  300 }
  EnvironmentVariables  { ASL_DISABLE  1 }
  MachServices  { com.apple.system.logger ; { ResetAtClose  1 } }
  EnableTransactions  1
  ProgramArguments  [ 0  /usr/sbin/syslogd ]
  Sockets ; { AppleSystemLogger  { SockPathName  /var/run/asl_input SockPathMode  438 }
               BSDSystemLogger   { SockPathName  /var/run/syslog SockType  dgram SockPathMode  438 }
                 }
  HopefullyExitsLast => 1
  OnDemand => 0


log displayer

Made true HTML and terse by Dennis German