Using OS X as a Syslog Server

os-x-syslog-server.md

Using OS X as a Syslog Server

This document describes how to set up an OS X to be a syslog server that logs messages from the local network. It was largely meant for my own purposes so that I don't forget what I did, but feel free to use it for your own purposes.

A problem with just "turning this on" is that you will not see the correct hostname in the syslog entries. What we will do is use syslog-ng as a front-end to make sure that the log lines are properly formatted before passing them to apple system logging.

First install homebrew. Then install syslog-ng with the following command:

brew install syslog-ng

Now edit the configuration file in /usr/local/syslog-ng.conf to be something like this:

@version: 3.2
@include "scl.conf"

source s_local {
    internal();
};

source s_network {
    udp(ip("172.30.48.2"));
};

destination d_local {
    udp("127.0.0.1");
};

log {
    source(s_local);
    source(s_network);
    destination(d_local);
};

Make sure you change the address 172.30.48.2 to be the IP address that you are directing the other machines to send their log traffic to.

Now we set up apple system logging. To do that, you need to add the following lines to the Sockets dictionary section of /System/Library/LaunchDaemons/com.apple.syslogd.plist:

<key>NetworkListener</key>
<dict>
    <key>SockNodeName</key>
    <string>127.0.0.1</string>
    <key>SockServiceName</key>
    <string>syslog</string>
    <key>SockType</key>
    <string>dgram</string>
</dict>

Now load syslogd:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

...and start syslog-ng:

sudo syslog-ng

Now if you do a syslog -w, you should see log messages properly identified flowing into your machine:

$ syslog -w
Mar 26 13:51:43 172.30.80.13 init[4294967295] <Info>: process '/bin/lighttpd -D -f /etc/lighttpd.conf' (pid 8876) exited. Scheduling for restart.
Mar 26 13:51:43 172.30.80.13 init[4294967295] <Info>: starting pid 8885, tty '/dev/null': '/bin/lighttpd -D -f /etc/lighttpd.conf'
Mar 26 13:51:40 172.30.16.4 hostapd[4294967295] <Info>: ath6: STA d8:bb:2c:43:84:e5 IEEE 802.11: associated

Note that if you reboot, you will need to restart syslog-ng unless you set it up to run at bootup. This is left as an excercise for the reader.

How did you manage to run "brew install syslog-ng"? This is the error we see: No available formula with the name "syslog-ng"

No available formula with the name "syslog-ng"

Looks like syslog-hg has been moved to the boneyard. You can get to it via brew tap homebrew/boneyard but I couldn't install due to an error : Error: syslog-ng was moved to homebrew-boneyard because it has unfixable issues. Please do not file any issues about this. Sorry!

The reason(s) syslog-ng was removed from homebrew are detailed here:
Homebrew/legacy-homebrew#22030
Mostly seems due to problems compiling versions newer that 3.08. And seems unlikely to ever be fixed. So syslog-ng 3.08 is last version to run on osx.

I installed v3.9.1 via pkgsrc

@darconeous, did you not have to change the line pointing to the original syslog too?

<key>ProgramArguments</key>
<array>
	<string>/usr/sbin/syslogd</string>
</array>

Regards,
iain

Okay, forget that, I see you used syslog-ng as a front to send on to syslog. The curse of not re-reading before posting!

iain

You can now use rsyslog

https://www.influxdata.com/blog/get-your-syslog-on/

You can also try "Lan-Secure Syslog Server for Mac-OSX"
It can be downloaded from http://www.lan-secure.com website and works instantly with simple install.

Here is the software web page:
http://lan-secure.com/SyslogServerMac.htm

Have a look to SysLogView

For a quick and dirty solution (like to debug an issue) you can listen on port 514 with tcpdump:

sudo tcpdump -lns 0 -w - udp and port 514 | strings

Configure the remote machine to send syslog data to your mac's ip and you should see output in your terminal.