How to start Syslogd server on Mac to accept remote logging messages?

Question

Anyone knows how to start Syslogd server on Mac to accept remote logging messages?

I started Syslogd, but seems it doesn't accept remote messages.

If I do a netstat -an it looks like udp port 514 is listening. However, if I scan the server from my laptop using nmap then I don't see udp 514. It's likely the port is being blocked somewhere. I have checked ipfw but it does not look like any rules defined.

I've seen lots of articles say that have to specify -r option. Is this the same on Mac? How to do that on Mac?

Gordon Davisson · Answer 1 · 2012-12-11T06:52:04.003

39

Syslogd should already be running on your system; what you need to do is enable its UDP listening option. This is controlled by a section near the end of /System/Library/LaunchDaemons/com.apple.syslogd.plist; remove the comment markers so that it looks like this:

<!--
        Un-comment the following lines to enable the network syslog protocol listener.
-->
                <key>NetworkListener</key>
                <dict>
                        <key>SockServiceName</key>
                        <string>syslog</string>
                        <key>SockType</key>
                        <string>dgram</string>
                </dict>
        </dict>
</dict>
</plist>

And then reload the syslogd daemon either by rebooting, or by running:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

UPDATE: Starting in OS X v10.7, Apple switched com.apple.syslogd.plist to a binary plist format, which doesn't include the relevant comment, and isn't editable as plain text. With the new format, PlistBuddy seems to be the easiest way to add the listener:

cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist

edited Dec 11 '12 at 06:52

answered Apr 01 '11 at 20:39

Gordon Davisson

118,432
16
123
151

Which version of OS X is this for? On Mountain Lion Server, I get "com.apple.launchd[1]: (com.apple.syslogd) Unknown key for dictionary: NetworkListener" in the console and I still don't see remote log messages… – John Y Dec 10 '12 at 21:22
@JohnYeates: Try the updated instructions (but be sure to start from a "stock" version of com.apple.syslogd.plist). – Gordon Davisson Dec 11 '12 at 06:53
I followed the steps in your update, but don't see any additional messages from my router in the OS X syslog. I don't have the firewall enabled and I know the router can ping my OS X machine. I see this in com.apple.syslogd.plist: `NetworkListener SockServiceName syslog SockType dgram ` I also unloaded and loaded syslogd. Am I missing something? – Raj Nov 14 '13 at 14:59
@Raj: not sure. Try running `netstat -a | grep LISTEN` to see what services your Mac is listening for connections to; if "*.syslog" is in the list, it's running and you need to figure out why the other computers aren't sending to it. If it's not listed, your Mac isn't offering syslog service; double-check the .plist file, and try rebooting instead of just reloading. If that doesn't do it, report back what OS X version you're running and exactly what you did to enable it... – Gordon Davisson Nov 14 '13 at 15:51
@GordonDavisson *.syslog is not in that list. I followed your updated steps to enable syslog. I am using OS X 10.8.5. Here's what's in my syslogd.plist: http://pastebin.com/RDaYn7V3 Does anything standout by chance? – Raj Nov 15 '13 at 02:28
@GordonDavisson Forgot to mention that I rebooted too, but no luck. – Raj Nov 15 '13 at 03:00
@Raj: Ack, I gave you the wrong check for a network listener; it's UDP, so LISTEN won't work. Try `netstat -a | grep syslog` and look for something like "udp4 0 0 \*.syslog \*.\*". The .plist on pastebin looks fine to me. – Gordon Davisson Nov 15 '13 at 06:25
2

This will not work anymore in El Capitan due to the SIP restrictions I guess. See http://stackoverflow.com/questions/30768087/restricted-folder-files-in-os-x-el-capitan – Frank Hintsch Dec 28 '15 at 18:47
1

Bad News: This does not work on El Captain. See this: https://discussions.apple.com/thread/7322612?start=0&tstart=0 Good News: You can use Xcode to edit the plist file - even if in binary. – infinite-loop Jul 06 '16 at 18:20

supakaity · Answer 2 · 2018-01-04T13:11:28.677

A bit old, but I did have to do this today and whilst searching around for a simple piece of software to do this for me I came across this question.

All I really wanted to do was watch some syslog entries for a short period of time and see what was coming from the server so what I ended up doing was:

sudo tcpdump -lns 0 -w - udp and port 514 | strings

This will simply print out any message that is sent to your machine on the output so you can display it.

Anyway if you do this and it outputs messages that are being transmitted to your server you can be sure it's not being blocked by your firewall or any other hardware in the middle.

How to start Syslogd server on Mac to accept remote logging messages?

2 Answers2

Linked