Syslog - How To - Logging remote events etc.

DanInSFBay · 11-23-2004, 06:53 PM

I just thought I'd post a short HowTo since this forum has helped me so much. I'd like to thank all those who created these various help posts.
I'm using 10.3.6

First turn on remote sysloging:
http://docs.info.apple.com/article.html?artnum=107993
Note:
http://developer.apple.com/documenta...syslogd.8.html

Then open UDP port 514 if required:
http://docs.info.apple.com/article.html?artnum=106439

Configure syslog.conf to log the events into a log file:
http://www.macosxhints.com/article.p...40301223642276
http://forums.macosxhints.com/showthread.php?t=21236

My example:

In syslog.conf, above the first log line:
*.err;kern.*;auth.notice; (blah blah)

add the folowing lines:

# Log remote Airport Extreme
#airport IP address
+1.2.3.4
*.*<tab><tab>/var/log/AirportExtreme.log
!* #end block

# Log router
#remote router IP address
+1.2.3.5
*.*<tab><tab>/var/log/Router.log
!* #end block

#OS X Server services
# IPFW Firewall
!ipfw
*.*<tab><tab>/var/log/ipfw.log
!* #end block

#CRON events (NOTE CASE)
!CRON
*.*<tab><tab>/var/log/RemoteFirewall.log
!* #end block

(etc.)

You can then exclude the log messages so they don't appear in other logs (I don't) using:
http://forums.macosxhints.com/showth...ghlight=syslog

Remember to create (touch) the above log files.
You may want to modify your daily and weekly log rotation:
Ex. in 500.weekly look for this line and add your log file names:
for i in ftp.log lookupd.log (blah blah)

Again, the true authors:
http://forums.macosxhints.com/showthread.php?t=21236 --> send IPFW to its own log
http://www.macosxhints.com/article.p...40301223642276 --> how to receive from remote hosts
http://www.oit.duke.edu/mac/OSX_logging.html --> Start and Stop syslogd and etc.
http://docs.info.apple.com/article.html?artnum=107993 --> Turn on remote syslog server
http://forums.macosxhints.com/showth...ghlight=syslog --> exclude log events

and most important the missing OS X syslog.conf man page!

http://www.freebsd.org/cgi/man.cgi?q...ts&format=html

I hope this helps...

muppetmaster · 07-11-2005, 09:44 AM

Well done! I was looking for this exact info!

nob · 08-12-2005, 06:29 PM

Did you figure out how to set this up in 10.4?

In my /etc/rc script there is no entry for syslogd

update:

http://www.aaronadams.net/index.php/...cept_logs_from

works like a charm with my new zywall5

11-23-2004, 06:53 PM	#1
DanInSFBay Registered User Join Date: Nov 2004 Posts: 1	Syslog - How To - Logging remote events etc. I just thought I'd post a short HowTo since this forum has helped me so much. I'd like to thank all those who created these various help posts. I'm using 10.3.6 First turn on remote sysloging: http://docs.info.apple.com/article.html?artnum=107993 Note: http://developer.apple.com/documenta...syslogd.8.html Then open UDP port 514 if required: http://docs.info.apple.com/article.html?artnum=106439 Configure syslog.conf to log the events into a log file: http://www.macosxhints.com/article.p...40301223642276 http://forums.macosxhints.com/showthread.php?t=21236 My example: In syslog.conf, above the first log line: .err;kern.;auth.notice; (blah blah) add the folowing lines: # Log remote Airport Extreme #airport IP address +1.2.3.4 .<tab><tab>/var/log/AirportExtreme.log !* #end block # Log router #remote router IP address +1.2.3.5 .<tab><tab>/var/log/Router.log !* #end block #OS X Server services # IPFW Firewall !ipfw .<tab><tab>/var/log/ipfw.log !* #end block #CRON events (NOTE CASE) !CRON .<tab><tab>/var/log/RemoteFirewall.log !* #end block (etc.) You can then exclude the log messages so they don't appear in other logs (I don't) using: http://forums.macosxhints.com/showth...ghlight=syslog Remember to create (touch) the above log files. You may want to modify your daily and weekly log rotation: Ex. in 500.weekly look for this line and add your log file names: for i in ftp.log lookupd.log (blah blah) Again, the true authors: http://forums.macosxhints.com/showthread.php?t=21236 --> send IPFW to its own log http://www.macosxhints.com/article.p...40301223642276 --> how to receive from remote hosts http://www.oit.duke.edu/mac/OSX_logging.html --> Start and Stop syslogd and etc. http://docs.info.apple.com/article.html?artnum=107993 --> Turn on remote syslog server http://forums.macosxhints.com/showth...ghlight=syslog --> exclude log events and most important the missing OS X syslog.conf man page! http://www.freebsd.org/cgi/man.cgi?q...ts&format=html I hope this helps...

08-12-2005, 06:29 PM	#3
nob Prospect Join Date: May 2005 Posts: 5	Tiger? Did you figure out how to set this up in 10.4? In my /etc/rc script there is no entry for syslogd update: http://www.aaronadams.net/index.php/...cept_logs_from works like a charm with my new zywall5 Last edited by nob; 08-12-2005 at 07:20 PM. Reason: Update

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread:

07-11-2005, 09:44 AM	#2
muppetmaster Triple-A Player Join Date: Mar 2005 Posts: 79	Well done! I was looking for this exact info!