Configuring syslogd to accept remote connections on OS X Mountain Lion and assign them a category

Question

From another thread here on Stack Exchange, I have discovered that it's pretty easy to enable syslogd on Lion or Mountain Lion to accept incoming connections.

cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist

The issue I have however is that when my router is sending messages to syslogd, they come up in the Console on OS X as coming from Unknown - e.g:

5/3/13 9:19:40.000 AM Unknown[-1]: [WAN-IN-6-A]IN=eth2 OUT=eth0 SRC=141.133.142.260 DST=10.0.00.10 LEN=64 TOS=0x00 PREC=0x00 TTL=53 ID=30298 DF PROTO=TCP SPT=60553 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 

Whereas a log message from the local machine specifies a sender: 5/3/13 7:38:20.155 AM kdc[67]: LKDC referral to the real LKDC realm name

Running tcpdump on the remote log host shows that the messages are being sent with more information than is shown in Console:

    router.example.com.38236 > server.example.com.syslog: SYSLOG, length: 258
Facility kernel (0), Severity warning (4)
Msg: May  3 09:12:39 router kernel: [WAN-LOCAL-default-D]IN=eth2 OUT= MAC=dc:ca:fe:ba:be:17:00:21:a0:ce:66:d9:07:00 SRC=86.86.123.381 DST=130.168.365.128 LEN=60 TOS=0x00 PREC=0x00 TTL=39 ID=26555 DF PROTO=TCP SPT=46635 DPT=62615 WINDOW=5840 RES=0x00 SYN URGP=0 

09:12:45.557613 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 286)

Can anyone direct me to how to configure syslog on OS X Mountain Lion server to recognise the sender in incoming log messages and categorise them appropriately?

Answer 1

I guess it's too late for the OP, but I can report on my recent experience with OS X 10.10 Yosemite.

Looks like you can NOT configure syslogd in OS X to directly recognise the sender. In fact, once the log messages have been received into ASL (Apple System Log), the only way to recognise them is because they have some nonsensical keys: PID is 0xFFFFFFFF+1, GID and UID are 0xFFFFFFFF+2. Of course that anomaly allows you to indirectly recognise the UDP messages, so you can just grab the ones with such keys. But still you won't be able to tell apart log messages coming from 2 different UDP sources.

Could we do something to the messages before they get into ASL? I have not found any way, and I don't think there is a possibility, because the debug mode in syslogd/ASL shows that the message parsing is already done by an ASL function.

Note that I did my tests using a DD-WRT router (which is a Linux) as the UDP syslog source, and I did not try checking directly the contents of the UDP packets; so it could be that the problem is in DD-WRT sending malformed packets. ... though I doubt it.

Also, I would say that OS X's syslogd/ASL is rather complicated and buggy (I sent a bug report already). So I would recommend to pass on them and try syslog-ng. That will be my next step.

In case you still want to try with OS X's syslogd, I wrote on the whole setup in my blog, including how to dump all the UDP-incoming messages into their own auto-rotated log file.