From another thread here on Stack Exchange, I have discovered that it's pretty easy to enable syslogd on Lion or Mountain Lion to accept incoming connections.
cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist
The issue I have however is that when my router is sending messages to syslogd, they come up in the Console on OS X as coming from Unknown - e.g:
5/3/13 9:19:40.000 AM Unknown[-1]: [WAN-IN-6-A]IN=eth2 OUT=eth0 SRC=141.133.142.260 DST=10.0.00.10 LEN=64 TOS=0x00 PREC=0x00 TTL=53 ID=30298 DF PROTO=TCP SPT=60553 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Whereas a log message from the local machine specifies a sender: 5/3/13 7:38:20.155 AM kdc[67]: LKDC referral to the real LKDC realm name
Running tcpdump on the remote log host shows that the messages are being sent with more information than is shown in Console:
router.example.com.38236 > server.example.com.syslog: SYSLOG, length: 258
Facility kernel (0), Severity warning (4)
Msg: May 3 09:12:39 router kernel: [WAN-LOCAL-default-D]IN=eth2 OUT= MAC=dc:ca:fe:ba:be:17:00:21:a0:ce:66:d9:07:00 SRC=86.86.123.381 DST=130.168.365.128 LEN=60 TOS=0x00 PREC=0x00 TTL=39 ID=26555 DF PROTO=TCP SPT=46635 DPT=62615 WINDOW=5840 RES=0x00 SYN URGP=0
09:12:45.557613 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 286)
Can anyone direct me to how to configure syslog on OS X Mountain Lion server to recognise the sender in incoming log messages and categorise them appropriately?