Thursday, November 10, 2011

OS X logging: asl.conf, syslog.conf, syslog master filters and log rotation

The apple syslog daemon (/System/Library/LaunchDaemons/ takes configuration from 3 different sources *groan*.


asl.conf (the apple syslog configuration file) controls what data is stored in the apple syslog binary databases under /private/var/log/asl. It is powerful and allows everything from filtering:
# save everything from emergency to notice
? [<= Level notice] store

to access control. This restricts read access to uid 0 (root) and gid 80 (admin):
# authpriv messages are root/admin readable
? [= Facility authpriv] access 0 80


In addition, and independent of, asl.conf, syslogd also reads syslog.conf which is the familiar unix/linux/bsd style syslog configuration file. This allows you to write the same log lines to plaintext log files in /var/log (or wherever) that also get stored by asl in binary form as above.

syslogd is responsible for writing both the asl and regular /var/log files, which you can see with lsof:
$ sudo lsof | grep syslog
syslogd   65475           root    9w      REG                1,4   13178158  344319 /private/var/log/system.log
syslogd   65475           root   10w      REG                1,4       5884 3055612 /private/var/log/secure.log
syslogd   65475           root   11w      REG                1,4    1093081 3029374 /private/var/log/debug.log
syslogd   65475           root   12u      REG                1,4     170227 3024189 /private/var/log/asl/2013.01.03.U0.G80.asl
syslogd   65475           root   13u      REG                1,4    2204298 3024190 /private/var/log/asl/2013.01.03.G80.asl
You can see that syslogd writes into /private/var/log/system.log, which is hard-linked to /var/log/system.log (same inode):
$ ls -lai /var/log/system.log 
344319 -rw-r--r--+ 1 root  admin  13192052 Jan  3 14:29 /var/log/system.log
$ ls -lai /private/var/log/system.log 
344319 -rw-r--r--+ 1 root  admin  13192052 Jan  3 14:29 /private/var/log/system.log

Syslog master filters

As if that wasn't enough, the syslog daemon itself also has a global master filter rule, which you can inspect with:

$ syslog -c 0
Master filter mask: Debug

AND you can set per-process filters:
$ syslog -c syslogd
ASL Data Store filter mask: Emergency - Debug

Reading logs

To read asl logs, just use the syslog command. It actually comes with some nifty filtering of its own. For example this command shows log lines sent by login for the past 2 hours:
syslog -k Sender login -k Time ge -2h

To help you formulate queries like the above you can see the raw key value pairs using:
syslog -F raw

There is a gotcha in the default apple configuration which has lines like:
# redirect to /var/log/DiagnosticMessages
? [T] store_dir /var/log/DiagnosticMessages

# redirect* messages to /var/log/performance
? [A= Facility] store_dir /var/log/performance

# redirect* messages to /var/log/eventmonitor
? [A= Facility] store_dir /var/log/eventmonitor

Which means just using the syslog command as above doesn't give you all the logs, including stuff like apple updates:
$ syslog  | grep 'downloading "Thunderbolt Software Update, 1.0"'
To look at the DiagnosticMessages log use:
$ syslog -d /var/log/DiagnosticMessages/ | grep 'downloading "Thunderbolt Software Update, 1.0"'
Software Update[1865] : SWU: downloading "Thunderbolt Software Update, 1.0"

To read the BSD logs just go look at the files in /var/log.

Log Rotation

Regular (non-asl binary) log rotation configuration is in
and has configuration lines that look like this (ie. completely different to linux /etc/logrotate.d):
# logfilename          [owner:group]    mode count size when  flags [/pid_file] [sig_num]
/var/log/appfirewall.log  640  5     1000 *     J

See the newsyslog.conf man page for the details.

ASL log rotation is handled by aslmanager, and configured with directives in asl.conf. See asl.conf and aslmanager man pages.

No comments: