Circles of Archimedes

Background

It is often desirable to collect the system logs from various devices onto a central “logging host”.  This can simplify monitoring needs considerably as tools and scripts need only work on a single host.  It also provides some security benefits as hackers will have a harder time masking their activities if they do not have access to the logging host.

On Mac OS X, there is a logging daemon (the Unix standard syslogd utility) that can be used to write both local logs and receive logs from remote hosts.  Unfortunately, the ability to receive remote logs is turned off in the default installation.  However, it is a trivial task to enable this functionality.

Setup

1. Login as administrator to the logging host
2. Open a terminal session using the Terminal utility
3. Navigate to the LaunchDaemons directory
   cd /System/Library/LaunchDaemons
4. Edit the com.apple.syslogd.plist file
   sudo vi com.apple.syslogd.plist
5. Remove the comment delimiters (<!-- and -->) surrounding the NetworkListener block
   

   <!--
    <key>NetworkListener</key>
    <dict>
    <key>SockServiceName</key>
    <string>syslog</string>
    <key>SockType</key>
    <string>dgram</string>
    </dict>
   -->

6. Stop the currently running instance of the syslog daemon
   sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
7. Restart the syslog daemon to pick up the changes in the LaunchDaemon configuration
   sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

The logging facility on the log host should now be available for remote devices to use.

Tags: daemon, launchd, leopard, leopard server, logging, monitoring, server

This entry was posted on Saturday, January 30th, 2010 at 4:18 pm and is filed under Server Solutions, Technical Tidbits. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.