syslogd - Mac OS X system Log server

It is HIGHLY recommended to learn about all of the process logging and 'watch dog' style programs on any system that is important to maintain system functionality or is publicly accessible. The system logs are often the best source for beginning a "bug hunt", performance improvements, and preventing your system from becoming a drone in the bot army. Ellis Jordan Bojar has a nice write-up on Enable Remote System Logging with syslogd over at his site MakeMacWork.com.

WATCH YOUR BOX

Once a change has been made to the syslogd configuration file, the daemon can be reinitialized without rebooting the entire system by sending the process a HUP signal:

sudo killall -HUP syslogd

Mac OS X man page



SYSLOGD(8)                BSD System Manager's Manual               SYSLOGD(8)

NAME
     syslogd -- Apple System Log server

SYNOPSIS
     syslogd [-d] [-D] [-m mark_interval] [-p prune_days] [-c log_cutoff]
             [-l lib_path] [-u] [-module_name {0|1}]

DESCRIPTION
     The syslogd server receives and processes log messages.  Several modules
     receive input messages through various channels, including UNIX domain
     sockets associated with the syslog(3), asl(3), and kernel printf APIs,
     and optionally from a UDP socket if the ``udp_in'' module is enabled.

     The Apple System Log facility comprises the asl(3) API, a new syslogd
     server, and the syslog(1) command-line utility.  The system supports
     structured and extensible messages, permitting advanced message browsing
     and management through search APIs and other components of the Apple 
     system log facility.

     Log messages are retained in a data store, subject to pruning and input
     filtering as described below, to simplify the task of locating log
     messages and to facilitate browsing and searching.  The data store is
     intended to become a replacement for the numerous log files that are
     currently found in various locations on the system.  Those files will be
     phased out in future versions of Mac OS.

     The following options are recognized:

     -d      Run syslogd in debugging mode.  The server stays attached to the
             controlling terminal and prints debugging messages.

     -D      Start as a daemon.  This option forces syslogd to fork and have
             the child process become a daemon.  Since syslogd is started by
             launchd, this is not normally required.

     -m      Set the number of minutes between ``mark'' messages.  The default
             is 20 minutes.  The ``mark'' facility is disabled if the setting
             is zero minutes.

     -p      syslogd saves log messages in a data store that may be searched
             using the syslog(1) utility or with the asl(3) API.  The data
             store is pruned daily by the /etc/daily cron job to keep it from
             growing without bound.  Since many systems are shut down
             overnight (when the daily cron job runs), the data store is also
             pruned shortly after syslogd starts up as the system boots.  By
             default, log messages in the data store that are more than 7 days
             old are removed.  The setting of the -p prune_days overrides the
             default.  A setting of zero days disables pruning of the data
             store when syslogd starts up.

     -c      Sets a cutoff filter for log priorities for messages to be
             retained in the log message data store.  The value of log_cutoff
             must be between 0 and 7, corresponding to log priorities
             LOG_EMERG or ASL_LEVEL_EMERG and LOG_DEBUG or ASL_LEVEL_DEBUG as
             defined in the syslog(3) and asl(3) header files.  Received 
             messages with a priority or level value greater than the cutoff will
             not be saved in the data store.  The default filter will retain
             messages in the range 0 (Emergency) to 5 (Notice) inclusive.

             Note that a this filter value may be adjusted while syslogd is
             running using the syslog command-line utility.  See the syslog(1)
             manual.  The filter may be adjusted using the ``-c'' option, e.g.

                  sudo syslog -c syslogd -d

             will set the filter to retain messages in the range 0 (Emergency)
             to 7 (Debug).

     -l      Specifies an alternate path for loading plug-in modules.  By
             default, syslogd checks for plug-in modules in the directory
             /usr/lib/asl.

     -u      Enables the ``udp_in'' module, configuring syslogd to act as a
             network log message receiver.  The server will receive messages
             on the standard ``syslog'' UDP port.  Note that this opens the
             server to potential denial-of-service attacks, as a malicious
             remote sender can flood the server with messages.  The -u option
             is equivalent to using the -udp_in 1 option.

     The remaining options of the form -module_name {0|1} may be used to
     disable (0) or enable (1) the action of several of internal modules.

     -asl_in      The ``asl_in'' module receives log messages on the UNIX
                  domain socket associated with the asl(3) API.  The module
                  may be disabled using -asl_in 0.  The module is normally
                  enabled.

     -asl_action  The ``asl_action'' module examines the stream of received
                  log messages and acts upon them according to the rules
                  specified in the file /etc/asl.conf.  See asl.conf(5) for
                  details.

     -klog_in     The ``klog_in'' module receives log messages on the UNIX
                  domain socket associated with the kernel logging API.  The
                  module may be disabled using -klog_in 0.  The module is
                  normally enabled.

     -bsd_in      The ``bsd_in'' module receives log messages on the UNIX
                  domain socket associated with the syslog(3) API.  The module
                  may be disabled using -bsd_in 0.  The module is normally
                  enabled.

     -bsd_out     The ``bsd_out'' module examines the stream of received log
                  messages and acts upon them according to the rules specified
                  in the file /etc/syslog.conf.  See syslog.conf(5) for
                  details.  This module exists for backward compatibility with
                  previous syslogd implementations.  Apple encourages use of
                  the syslog(1) and asl(3) search APIs over the use of the log
                  files that are specified in the /etc/syslog.conf file.
                  Future versions of Mac OS will move functions that are
                  currently handled by the ``bsd_out'' module to the
                  ``asl_action'' module.

     -udp_in      The ``udp_in'' module receives log messages on the UDP
                  socket associated with the Internet syslog message protocol.
                  The module may be enabled using -udp_in 1.  The module is
                  normally disabled.  This module may also be enabled using
                  the -u option.

     syslogd initializes its built-in modules and loads plug-ins during its
     start-up.  The data store is pruned approximately 5 minutes after
     startup.

     syslogd reinitializes in response to a HUP signal.

FILES
     /etc/syslog.conf     bsd_out module configuration file
     /etc/asl.conf        asl_action module configuration file
     /var/run/syslog.pid  process ID file
     /var/run/log         name of the UNIX domain datagram log socket
     /dev/klog            kernel log device

SEE ALSO
     syslog(1), logger(1), asl(3), syslog(3), asl.conf(5) syslog.conf(5)

HISTORY
     The syslogd utility appeared in 4.3BSD.

     The Apple System Log facility was introduced in Mac OS X 10.4.

Mac OS X                       October 18, 2004                       Mac OS X
About RSS Feed Search