Skip to content

Instantly share code, notes, and snippets.

@darconeous
Last active September 3, 2024 21:38
Show Gist options
  • Save darconeous/1b3aee893536c1de2401 to your computer and use it in GitHub Desktop.
Save darconeous/1b3aee893536c1de2401 to your computer and use it in GitHub Desktop.
Using OS X as a Syslog Server

Using OS X as a Syslog Server

This document describes how to set up an OS X to be a syslog server that logs messages from the local network. It was largely meant for my own purposes so that I don't forget what I did, but feel free to use it for your own purposes.

A problem with just "turning this on" is that you will not see the correct hostname in the syslog entries. What we will do is use syslog-ng as a front-end to make sure that the log lines are properly formatted before passing them to apple system logging.

First install homebrew. Then install syslog-ng with the following command:

brew install syslog-ng

Now edit the configuration file in /usr/local/syslog-ng.conf to be something like this:

@version: 3.2
@include "scl.conf"

source s_local {
    internal();
};

source s_network {
    udp(ip("172.30.48.2"));
};

destination d_local {
    udp("127.0.0.1");
};

log {
    source(s_local);
    source(s_network);
    destination(d_local);
};

Make sure you change the address 172.30.48.2 to be the IP address that you are directing the other machines to send their log traffic to.

Now we set up apple system logging. To do that, you need to add the following lines to the Sockets dictionary section of /System/Library/LaunchDaemons/com.apple.syslogd.plist:

<key>NetworkListener</key>
<dict>
    <key>SockNodeName</key>
    <string>127.0.0.1</string>
    <key>SockServiceName</key>
    <string>syslog</string>
    <key>SockType</key>
    <string>dgram</string>
</dict>

Now load syslogd:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

...and start syslog-ng:

sudo syslog-ng

Now if you do a syslog -w, you should see log messages properly identified flowing into your machine:

$ syslog -w
Mar 26 13:51:43 172.30.80.13 init[4294967295] <Info>: process '/bin/lighttpd -D -f /etc/lighttpd.conf' (pid 8876) exited. Scheduling for restart.
Mar 26 13:51:43 172.30.80.13 init[4294967295] <Info>: starting pid 8885, tty '/dev/null': '/bin/lighttpd -D -f /etc/lighttpd.conf'
Mar 26 13:51:40 172.30.16.4 hostapd[4294967295] <Info>: ath6: STA d8:bb:2c:43:84:e5 IEEE 802.11: associated

Note that if you reboot, you will need to restart syslog-ng unless you set it up to run at bootup. This is left as an excercise for the reader.

@yb66
Copy link

yb66 commented Apr 4, 2017

Okay, forget that, I see you used syslog-ng as a front to send on to syslog. The curse of not re-reading before posting!

iain

@imavroukakis
Copy link

@ms-99
Copy link

ms-99 commented Dec 17, 2018

You can also try "Lan-Secure Syslog Server for Mac-OSX"
It can be downloaded from http://www.lan-secure.com website and works instantly with simple install.

Here is the software web page:
http://lan-secure.com/SyslogServerMac.htm

@RobernetCO
Copy link

Have a look to SysLogView

@coreindustries
Copy link

For a quick and dirty solution (like to debug an issue) you can listen on port 514 with tcpdump:

sudo tcpdump -lns 0 -w - udp and port 514 | strings

Configure the remote machine to send syslog data to your mac's ip and you should see output in your terminal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment