1

I have tried the syslog forwarding configuration as mentioned in splunk document, But on the syslog server I not getting all logs generated in macOS and also there is no Syslog content (message) in some logs like the following one, I am not getting any useful information when forwarded as Syslog . But In console I am able to view all logs.

https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

<6>Mar 19 10:46:05 catalinas-iMac diagnosticd[531]: New connection from peer 1663
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:

Can anyone help on this ?

Improve this question
2
  • Did you configure Splunk to listen on port 514 (you shouldn't, but you can)? What version of Splunk? While Splunk is working on improvements to the macOS UF, have you tried any of the suggestions from community.splunk.com/t5/Archive/…?
    – warren
    Commented Mar 19, 2021 at 11:56
  • I have not configured splunk in my syslog server. I have configured a syslog receiver in my server @ port 514 . I want to get all logs to be forwarded to my server . I tried configuring in syslog.conf also . is there any other configuration that need to be changed in MAC so that I can get all logs
    – User G
    Commented Mar 19, 2021 at 13:51

1 Answer 1

Reset to default
0

In googling this exact question (ie forwarding syslog on macOS to a syslog collector), I see several other posts referencing the now-out-of-date Splunk wiki link

For example: https://community.spiceworks.com/topic/1860034-forwarding-syslog-from-mac-os-x-to-syslog-server

This post indicates that you need to look at /etc/asl.conf, as logging has changed in more-recent versions of macOS - https://www.unixtutorial.org/syslog-and-asl-in-macos

There's also this aging, Graylog-related question on Ask Different asking about how to collect macOS logs

The Apple manpage for asl is here: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/asl.3.html

And now, it appears the Unified Logger has replaced ASL: https://community.splunk.com/t5/Archive/Mac-OS-X-Sierra-How-to-get-all-logs-from-the-Unified-Log/m-p/347695

Based on all of this, it would seem the current "best" way to get logs of macOS systems to some centralized source (be it a "traditional" syslog collector, Splunk, etc) is with a scripted process that runs-through what's been locally collected in the last X period (maybe e just since last run), and sends it on to wherever you want it to go

Improve this answer
2
  • Thank you response. As of now I don't have option to use script or universal forwarder as like in splunk. I checked the asl.conf man pages and tried different configuration but as i said previously only for some logs the message is hidden or I think It may be due to ASL storing logs in binary format. Also found that the ASL would take the configuration for each subsystem from plist files in /Library/LaunchAgents/ and /System/Library/LaunchDaemons. Could you please help me on how to configure those plist files.
    – User G
    Commented Mar 24, 2021 at 12:02
  • @UserG - I'd suggest asking the plist question separately (and, possibly, on Ask Different ), as it's probably a mostly-separate topic
    – warren
    Commented Mar 24, 2021 at 15:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .