OS X Lion as a syslog server

From MikroTik Wiki
Jump to: navigation, search

This article explains how to use MacOS X Lion (possibly earlier versions) as a syslog server for RouterOS.

First, prep the built in syslog daemon to add a listener on the network - by default it only listens on sockets. Full article is here.

sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist /tmp/com.apple.syslogd.plist 
sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist 
sudo vim /System/Library/LaunchDaemons/com.apple.syslogd.plist
Add this to the "Sockets" section:
<key>NetworkListener</key>
<dict>
	<key>SockServiceName</key>
	<string>syslog</string>
	<key>SockType</key>
	<string>dgram</string>
</dict>

OS X can use normal log files like any BSD, but it also comes with a built in data store for log messages. More info can be found at here. Data stores are fast, log rotation comes built in, and they are indexed and quickly searchable. I like my network syslog files routed to a different data store. Data store routing is configured in /etc/asl.log. Filtering can be done on a number of fields, the simplest one is "Host", which will be the router name taken from "/system identity". The "Sender" field is taken from the prefix configured under "/system logging" for the topic. I store my network syslog messages in /var/log/network in data stores named by date in /var/log/network. The directory has to exist, the below creates it with read access for everyone on a directory level (everyone can list files):

sudo mkdir /var/log/network
sudo chown root:staff /var/log/network
sudo chmod 0755 /var/log/network

The below routes all messages from hosts that start with "rb" in their host name in the directory created above. The UID for the files will the root, the GID will be 20, which matches the 'staff' group that all users are by default a member of. This will let anyone search network log files, adjust the UID and GID as required if you need tighter security. The below line is added to /etc/asl.conf to achieve this.

sudo vim /etc/asl.conf
? [A= Host rb] store_directory /var/log/network uid=0 gid=20 mode=0644

And finally restart the syslog daemon to have all the changes take effect.

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plistp

Then configure the routers to log to the IP address of the OS X machine, below an example. Note that in 5.x the src-address must be set, this is best set to a loopback address (loopbacks are emulated by creating an empty bridge without any ports assigned to it, and configuring an IP address on that bridge interface)

/system logging action
set remote bsd-syslog=yes name=remote remote=1.1.1.1 remote-port=514 \
   src-address=2.2.2.2 syslog-facility=local7 syslog-severity=auto target=remote
/system logging
add action=remote disabled=no prefix=rb433 topics=system,info
add action=remote disabled=no prefix=rb433 topics=warning
add action=remote disabled=no prefix=rb433 topics=critical
add action=remote disabled=no prefix=rb433 topics=error,!ospf,!route

On the OS X server you can then display all log messages via the syslog command, see the man page for syslog for details.