The apple syslog daemon (/System/Library/LaunchDaemons/com.apple.syslogd.plist) takes configuration from
3 different sources *groan*.
asl.conf
asl.conf (the apple syslog configuration file) controls what data is stored in the apple syslog binary databases under /private/var/log/asl. It is powerful and allows everything from filtering:
# save everything from emergency to notice
? [<= Level notice] store
to access control. This restricts read access to uid 0 (root) and gid 80 (admin):
# authpriv messages are root/admin readable
? [= Facility authpriv] access 0 80
syslog.conf
In addition, and independent of, asl.conf, syslogd also reads syslog.conf which is the familiar unix/linux/bsd style syslog configuration file. This allows you to write the same log lines to plaintext log files in /var/log (or wherever) that also get stored by asl in binary form as above.
syslogd is responsible for writing both the asl and regular /var/log files, which you can see with lsof:
$ sudo lsof | grep syslog
[snip]
syslogd 65475 root 9w REG 1,4 13178158 344319 /private/var/log/system.log
syslogd 65475 root 10w REG 1,4 5884 3055612 /private/var/log/secure.log
syslogd 65475 root 11w REG 1,4 1093081 3029374 /private/var/log/debug.log
syslogd 65475 root 12u REG 1,4 170227 3024189 /private/var/log/asl/2013.01.03.U0.G80.asl
syslogd 65475 root 13u REG 1,4 2204298 3024190 /private/var/log/asl/2013.01.03.G80.asl
You can see that syslogd writes into /private/var/log/system.log, which is hard-linked to /var/log/system.log (same inode):
$ ls -lai /var/log/system.log
344319 -rw-r--r--+ 1 root admin 13192052 Jan 3 14:29 /var/log/system.log
$ ls -lai /private/var/log/system.log
344319 -rw-r--r--+ 1 root admin 13192052 Jan 3 14:29 /private/var/log/system.log
Syslog master filters
As if that wasn't enough, the syslog daemon itself also has a global master filter rule, which you can inspect with:
$ syslog -c 0
Master filter mask: Debug
AND you can set per-process filters:
$ syslog -c syslogd
ASL Data Store filter mask: Emergency - Debug
Reading logs
To read asl logs, just use the syslog command. It actually comes with some nifty filtering of its own. For example this command shows log lines sent by login for the past 2 hours:
syslog -k Sender login -k Time ge -2h
To help you formulate queries like the above you can see the raw key value pairs using:
syslog -F raw
There is a gotcha in the
default apple configuration which has lines like:
# redirect com.apple.message.domain to /var/log/DiagnosticMessages
? [T com.apple.message.domain] store_dir /var/log/DiagnosticMessages
# redirect com.apple.performance* messages to /var/log/performance
? [A= Facility com.apple.performance] store_dir /var/log/performance
# redirect com.apple.eventmonitor* messages to /var/log/eventmonitor
? [A= Facility com.apple.eventmonitor] store_dir /var/log/eventmonitor
Which means just using the syslog command as above doesn't give you all the logs, including stuff like apple updates:
$ syslog | grep 'downloading "Thunderbolt Software Update, 1.0"'
To look at the DiagnosticMessages log use:
$ syslog -d /var/log/DiagnosticMessages/ | grep 'downloading "Thunderbolt Software Update, 1.0"'
Software Update[1865] : SWU: downloading "Thunderbolt Software Update, 1.0"
To read the BSD logs just go look at the files in /var/log.
Log Rotation
Regular (non-asl binary) log rotation configuration is in
/etc/newsyslog.conf
and has configuration lines that look like
this (ie. completely different to linux /etc/logrotate.d):
# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/appfirewall.log 640 5 1000 * J
See the newsyslog.conf man page for the details.
ASL log rotation is handled by aslmanager, and configured with directives in asl.conf. See asl.conf and aslmanager man pages.