system logging utilities.
|Apple System Log|
system logging and kernel message trapping,
Use of internet and unix domain sockets enables local and remote logging.
If an error occurs during parsing of the config file the whole line is ignored.
Prefix the destination filename with
- to omit sync'ing the file after every write to it.(reduces I/O load).
Cause ALL messages using the
(debug is the lowest priority, so all higher levels match) to go into
/var/log/daemons and don't sync I/O system:
*specifies that all messages for the specified facility are directed to the destination.
=restricts logging to the specified priority class. allows, routing only debug messages to a particular logging source.
!exclude logging of the specified priorities, affects all (!) possibilities of specifying priorities.
Direct debug messages from all sources
all messages of the facility mail except those with the priority
all messages from news.info (including) to news.crit (excluding)
mail.*;mail.!=info /var/log/mail news.info;news.!crit /var/log/newsOS X darwin plist for
mail.none or mail.!* or mail.!debugto skip all messages with a mail facility.
Remote LoggingEnable forwarding (perhaps for consolidation) or receiving messages from another node with
-r; Default: ignore network.
Sending and receiving syslogd
syslog 514/udpotherwise syslogd will die.
To forward messages to another host : use
For example, to forward ALL messages to a remote host*.* @syslogdhostnam
If the remote hostname cannot be resolved at startup, Syslogd will try to resolve the name ten times and then complain. and ????
syslog-loops (bad) : forwarding messages to a syslogd that forwards them back.
In a network provide a central log server to have all the logs kept on one machine.
If the network consists of different domains logging will include fully qualfied names.
-sstripdomain off several domains other than the one the server is located in and only log simple hostnames.
-ldefine single hosts as local machines.
The UDP socket used to forward messages to remote hosts or to receive messages from them is only opened when it is needed.
OUTPUT TO NAMED PIPES (FIFOs)A fifo or named pipe can be used as a destination for log messages by prepending a
|to the name of the file. the fifo must be created with the mkfifo command before syslogd is started.
# Sample configuration to route kernel debugging # messages ONLY to /var/log/debug which is a named pipe. kern.=debug |/var/log/debug
klogdcan be run from
initor started as part of the
If started from init use
-n(don't switch to background.)
There is the potential for the syslogd daemon to be used as a conduit for a denial of service attack. A rogue program(mer) could flood the syslogd daemon with syslog messages resulting in the log files consuming all the remaining space on the filesystem. Activating logging over the inet domain sockets will expose a system to risks outside of programs or individuals on the local machine.
There are a number of methods of protecting a machine:
- Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket.
- Log to an non-root filesystem.
- Log to an
ext2filesystem which can be configured to limit a percentage of a filesystem to usage by root only, requiring syslogd to be run as a non-root process.
- Disabling inet domain sockets limits risk to the local machine, preventing remote logging since syslogd will be unable to bind to the 514/UDP socket.
-dverbose display of activity is output to stdout.
When the configuration file is read a tabular report is output:
numbersequence number representing the position in the internal data structure.
An omitted sequence number indicates an error in
columns are the
facility(only the left most are used. )
field in a column represents priorities
actionwhen a message is received that matches the pattern.
argumentsadditional arguments to the actions
- file-logging filename for the logfile;
- user-logging list of users;
- remote logging hostname of the machine to log to;
- console-logging used console;
- tty-logging specified tty; wall has no additional arguments.
/dev/log, socket used by local syslog
/var/run/syslogd.pid, file containing the process id of syslogd.
syslog 514/udp syslog-conn 601/udp # Reliable Syslog Service syslog-conn 601/tcp # Reliable Syslog Service
If an error occurs in one line the whole rule is ignored. (Don't forget the
#to preceed comments (NOT ALL VERSIONS)
Syslogd doesn't change the permissions of logfiles.
created files are world readable.
savelog(8)to rotate logfiles.
It is a security hole if everybody is able to message from the
syslogBDS really Mac OSX ; darwin syslog-ngBalaBit Ltd version syslog.conf klogd(8), logger, syslog(2), syslog(3), services(5), savelog(8)
From smacker OS X 10.5.7 6/18/09# Emergency (0) note counter-intuitive Emergency has a level less than Debug. # Alert # Critical # Error # Warning # Notice # Info # Debug *.err /dev/console kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console # DONT Send messages to the serial port. #*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial *.notice /var/log/system.log mail.crit /var/log/system.log kern.debug /var/log/system.log authpriv,remoteauth,ftp /var/log/system.log install.none /var/log/system.log # authpriv log file should be restricted access auth.info;authpriv.* /var/log/secure.log remoteauth.crit /var/log/secure.log lpr.info /var/log/lpr.log mail.* /var/log/mail.log ftp.* /var/log/ftp.log install.* /var/log/install.log install.* @127.0.0.1:32376 local0.* /var/log/appfirewall.log local1.* /var/log/ipfw.log *.emerg * *.alert /var/log/01-alert.log *.crit /var/log/02-crit.log ##see above *.err /var/log/03-err.log *.warn /var/log/04-warn.log ##see above *.notice /var/log/05-notice.log *.notice /var/log/05-notice.log *.info /var/log/06-info.log *.debug /var/log/07-debug.log sudo.* /var/log/sudo.log #++++++++++++++++++++++++++++++++++++++++++++++
launchd<key>Label</key> <string>com.apple.syslogd</string> <key>OnDemand</key> <false/> <key>HopefullyExitsLast</key> <true/> <key>EnableTransactions</key> <true/> <key>ProgramArguments</key> <array> <string>/usr/sbin/syslogd</string> </array> <key>MachServices</key> <dict> <key>com.apple.system.logger</key> <true/> </dict> <key>Sockets</key> <dict> <key>AppleSystemLogger</key> <dict> <key>SockPathName</key> <string>/var/run/asl_input</string> <key>SockPathMode</key> <integer>438</integer> </dict> <key>BSDSystemLogger</key> <dict> <key>SockPathName</key> <string>/var/run/syslog</string> <key>SockType</key> <string>dgram</string> <key>SockPathMode</key> <integer>438</integer> </dict> </dict> </dict>OS X darwin plist for rotating logs
newsyslog/System/Library/LaunchDaemons/com.apple.newsyslog.plist <key>Label</key> <string>com.apple.newsyslog</string> <key>ProgramArguments</key> <array> <string>/usr/sbin/newsyslog</string> </array> <key>LowPriorityIO</key> <true/> <key>Nice</key> <integer>1</integer> <key>StartCalendarInterval</key> <dict> <key>Minute</key> <integer>30</integer> </dict>See: rsyslogd
Collaborators: Syslogd is taken from BSD sources, Greg Wettstein (email@example.com) performed the port to Linux,