* * * * *
Notes on syslog support from Mac OS 11.6.4
Yes, I know, Mac OS (Operating System)-X 11.6.4 is more than 20 minutes old.
Shut up! Anyway, a bit more about syslog() support on Macs [1].
Our components (like Project: Lumbergh [2]) compile on Macs. We do initial
testing on Macs. Also, our components use syslog(). And it's not like Mac OS-
X has dropped syslog() entirely—our code still compiles. But syslog() isn't
quite working as I expect it to work.
When I run tests, I monitor the logs in real time—I've configured both my
Macs (the older one, and Belial, the annoying Mac Laptop [3]) to forward
syslog messages to a central server, which I can then monitor in real time
based using my syslogd replacement [4] (I should probably go into detail
about how that works, but that's beyond the scope of this entry). Yes, I am
seeing messages show up:
-----[ data ]-----
Mar 09 18:27:20 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstrap mode
Mar 09 18:27:20 user notice 192.168.1.105 com.apple.xpc.launchd exiting bootstrap mode
Mar 09 18:27:20 user warn 192.168.1.105 com.apple.xpc.launchd Service exited with abnormal code: 254
Mar 09 18:27:26 daemon notice 192.168.1.105 aciseagentd Function: loadXMLCfgFile Thread Id: 0x2E77D40 File: ConfigData.cpp Line: 46 Level: warn :: ISEPostureCFG.xml not found, using defaults
Mar 09 18:27:26 daemon notice 192.168.1.105 aciseagentd Function: GetConfigData Thread Id: 0x2E77D40 File: ConfigData.cpp Line: 220 Level: warn :: The cfg parameter for numeric value VlanDetectInterval was invalid. Using default. (XML was )
Mar 09 18:27:40 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstrap mode
Mar 09 18:27:40 user notice 192.168.1.105 com.apple.xpc.launchd exiting bootstrap mode
Mar 09 18:27:40 user warn 192.168.1.105 com.apple.xpc.launchd Service exited with abnormal code: 254
Mar 09 18:27:46 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316]
Mar 09 18:28:00 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstrap mode
Mar 09 18:28:00 user notice 192.168.1.105 com.apple.xpc.launchd exiting bootstrap mode
Mar 09 18:28:00 user warn 192.168.1.105 com.apple.xpc.launchd Service exited with abnormal code: 254
Mar 09 18:28:20 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstr
-----[ END OF LINE ]-----
So the syslogd forwarding is working (although I'm not sure which service
exited due to SIGKILL since that information isn't logged, but whatever, I'm
getting logs forwarded by syslogd on Belial). But when I run our stuff?
Nothing comes through.
This code comples and runs:
-----[ C ]-----
#include <stdio.h>
#include <syslog.h>
int main(void)
{
for (int pri = 0 ; pri < 8 ; pri++)
syslog(pri,"This is a test %d",pri);
return 0;
}
-----[ END OF LINE ]-----
But I'm not seeing the logs being forwarded. And even when I edited
/etc/syslog.conf to read:
-----[ data ]-----
# Note that flat file logs are now configured in /etc/asl.conf
install.* @127.0.0.1:32376
*.* @192.168.1.10
*.* /tmp/log-all-the-things.txt
-----[ END OF LINE ]-----
The /tmp/log-all-the-things.txt file wasn't even created! There are messages
being forwarded to 192.168.1.10, but aside from that, it's as if everything
else in this file is being ignored. After some searching, I did find about
about the log program. I ran log stream –process syslogt in one window, then
my test program syslogt in another, and behold:
-----[ shell ]-----
[sconner]belial:~>log stream --process syslogt
Filtering the log data using "process BEGINSWITH[cd] "syslogt""
Timestamp Thread Type Activity PID TTL
2022-03-09 18:28:16.110052-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 0
2022-03-09 18:28:16.110914-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 1
2022-03-09 18:28:16.110943-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 2
2022-03-09 18:28:16.110965-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 3
2022-03-09 18:28:16.110986-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 4
2022-03-09 18:28:16.111005-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 5
-----[ END OF LINE ]-----
Logs! Only … not all of them. syslog() supports eight levels of logging, yet
this only shows six. The final two, levels LOG_INFO and LOG_DEBUG aren't
logged! Even editing the /etc/asl.conf file to read:
-----[ data ]-----
# save everything from emergency to [DELETED-notice-DELETED] DEBUG
? [<= Level debug] store
-----[ END OF LINE ]-----
Doesn't help. Levels LOG_INFO and LOG_DEBUG are simply dropped. And guess
what level most of our logs are at?
XXXX you, Apple!
[1] gopher://gopher.conman.org/0Phlog:2022/03/08.1
[2] gopher://gopher.conman.org/0Phlog:2018/09/11.2
[3] gopher://gopher.conman.org/0Phlog:2022/02/17.1
[4] gopher://gopher.conman.org/0Phlog:2010/02/09.1
Email author at sean@conman.org