1

When I log messages to syslog in OS X (10.10.1), it truncates the timestamp to the second. If I log to a file, for example, I am able to capture milliseconds. Milliseconds matter when logs are coming fast and furiously. Any idea if there’s a way to set millisecond precision in the OS X implementation of syslogd?

Improve this question
3
  • Did you read the syslog(1) man page? It gives examples of how to do this.
    – Spiff
    Commented Jan 30, 2015 at 9:17
  • Yes, and syslogd. I don't see anything there on precision of timestamps. Is there a specific section you could point me to? Thanks.
    – Justin Makeig
    Commented Jan 30, 2015 at 17:37
  • Sorry, I was on mobile last night and just wanted to quickly set you down the right path. Fuller answer below.
    – Spiff
    Commented Jan 30, 2015 at 20:27

1 Answer 1

Reset to default
0

OS X's syslogd stores log events in the "Apple System Log" (asl) database/store with microsecond precision by default, with provisions for nanosecond precision.

However, when that data gets copied out into traditional flat log files like /var/log/system.log, the traditional to-the-second timestamp format are used, because that's what those flat log files have always used.

You can use the syslog command-line tool to query the asl database, and you can specify the format of the output with various command-line options including -F. For example, to dump everything from the asl database in standard log file format, but with microsecond precision, do this:

syslog -F std.6

Note that if you have a process logging so many messages to syslog so fast that sub-second timestamps matter, you might want to also look at the asl.conf(5) man page to make sure your mps_limit and dup_delay parameters are set in such a way that all your log messages actually get stored in the database, as opposed to being throttled or thrown out.

Improve this answer
3
  • Thanks for the thorough response. I'm building a syslog server that listens for syslog messages over UDP. It doesn't sound like there's a way to change the timestamp precision of the messages flowing through syslogd on an OS X client (i.e. upstream pushing messages to my server). asl looks like it has more config options, but I don't really understand the relationship between syslog and asl and I don't see anything about time precision in asl either.
    – Justin Makeig
    Commented Jan 30, 2015 at 21:44
  • @JustinMakeig The traditional syslog network protocol (by which hosts can send syslog messages via UDP to a central syslog server), which was created decades ago in one of the earliest BSD Unixes, has a timestamp field that only has to-the-second precision. This protocol was eventually documented in Informational RFC 3164. This is the syslog protocol OS X supports. There was an effort in the IETF in 2009 to create a modernized version of the syslog protocol (including more timestamp precision) and standardize it (RFC 5424), but I don't believe OS X's syslog supports the modern version.
    – Spiff
    Commented Jan 30, 2015 at 22:19
  • Yes, and RFC 3164 specifies "Mmm dd hh:mm:ss". Looks like I'm out of luck. Thanks so much for your help.
    – Justin Makeig
    Commented Jan 30, 2015 at 22:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .