OS X Lion as a syslog server
Written by vaheeD on January 4, 2013
This article explains how to use MacOS X Lion (possibly earlier versions) as a syslog server for RouterOS.
First, prep the built in syslog daemon to add a listener on the network – by default it only listens on sockets.
sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist /tmp/com.apple.syslogd.plist sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist sudo vim /System/Library/LaunchDaemons/com.apple.syslogd.plist
Add this to the “Sockets” section:
<key>NetworkListener</key> <dict> <key>SockServiceName</key> <string>syslog</string> <key>SockType</key> <string>dgram</string> </dict>
OS X can use normal log files like any BSD, but it also comes with a built in data store for log messages. More info can be found at here. Data stores are fast, log rotation comes built in, and they are indexed and quickly searchable. I like my network syslog files routed to a different data store. Data store routing is configured in /etc/asl.log. Filtering can be done on a number of fields, the simplest one is “Host”, which will be the router name taken from “/system identity”. The “Sender” field is taken from the prefix configured under “/system logging” for the topic. I store my network syslog messages in /var/log/network in data stores named by date in /var/log/network. The directory has to exist, the below creates it with read access for everyone on a directory level (everyone can list files):
sudo mkdir /var/log/network sudo chown root:staff /var/log/network sudo chmod 0755 /var/log/network
The below routes all messages from hosts that start with “rb” in their host name in the directory created above. The UID for the files will the root, the GID will be 20, which matches the ‘staff’ group that all users are by default a member of. This will let anyone search network log files, adjust the UID and GID as required if you need tighter security. The below line is added to /etc/asl.conf to achieve this.
sudo vim /etc/asl.conf
? [A= Host rb] store_directory /var/log/network uid=0 gid=20 mode=0644
And finally restart the syslog daemon to have all the changes take effect.
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plistp
Then configure the routers to log to the IP address of the OS X machine, below an example. Note that in 5.x the src-address must be set, this is best set to a loopback address (loopbacks are emulated by creating an empty bridge without any ports assigned to it, and configuring an IP address on that bridge interface)
/system logging action set remote bsd-syslog=yes name=remote remote=1.1.1.1 remote-port=514 \ src-address=2.2.2.2 syslog-facility=local7 syslog-severity=auto target=remote /system logging add action=remote disabled=no prefix=rb433 topics=system,info add action=remote disabled=no prefix=rb433 topics=warning add action=remote disabled=no prefix=rb433 topics=critical add action=remote disabled=no prefix=rb433 topics=error,!ospf,!route
On the OS X server you can then display all log messages via the syslog command, see the man page for syslog for details.