Menu
Anyone knows how to start Syslogd server on Mac to accept remote logging messages?
I started Syslogd, but seems it doesn't accept remote messages.
If I do a netstat -an it looks like udp port 514 is listening. However, if I scan the server from my laptop using nmap then I don't see udp 514. It's likely the port is being blocked somewhere. I have checked ipfw but it does not look like any rules defined.
I've seen lots of articles say that have to specify -r option. Is this the same on Mac? How to do that on Mac?
994
Use the -i option to start syslogd in the local-only mode. In this mode, syslogd processes only messages sent over the network by remote systems running syslogd. This instance of syslogd does not process logging requests from the local system or applications. Use the -n option to start syslogd in the network-only mode.
The "syslogd" process is a utility that the OS uses to turn over system log files by using the "bzip2" utility to compress them and creating new ones when the files get to a certain size. This helps conserve space and makes it easier to search log file contents.
A remote syslog server allows you to separate the software that generates the messages and events from the system that stores and analyzes them. When enabled, the network driver sends messages to a syslog server on the local Intranet or Internet through a VPN tunnel.
Syslogd should already be running on your system; what you need to do is enable its UDP listening option. This is controlled by a section near the end of /System/Library/LaunchDaemons/com.apple.syslogd.plist; remove the comment markers so that it looks like this:
<!-- Un-comment the following lines to enable the network syslog protocol listener. --> <key>NetworkListener</key> <dict> <key>SockServiceName</key> <string>syslog</string> <key>SockType</key> <string>dgram</string> </dict> </dict> </dict> </plist> And then reload the syslogd daemon either by rebooting, or by running:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist UPDATE: Starting in OS X v10.7, Apple switched com.apple.syslogd.plist to a binary plist format, which doesn't include the relevant comment, and isn't editable as plain text. With the new format, PlistBuddy seems to be the easiest way to add the listener:
cd /System/Library/LaunchDaemons sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist sudo launchctl unload com.apple.syslogd.plist sudo launchctl load com.apple.syslogd.plist A bit old, but I did have to do this today and whilst searching around for a simple piece of software to do this for me I came across this question.
All I really wanted to do was watch some syslog entries for a short period of time and see what was coming from the server so what I ended up doing was:
sudo tcpdump -lns 0 -w - udp and port 514 | strings This will simply print out any message that is sent to your machine on the output so you can display it.
Anyway if you do this and it outputs messages that are being transmitted to your server you can be sure it's not being blocked by your firewall or any other hardware in the middle.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
