1

I have tried the syslog forwarding configuration as mentioned in splunk document, But on the syslog server I not getting all logs generated in macOS and also there is no Syslog content (message) in some logs like the following one, I am not getting any useful information when forwarded as Syslog . But In console I am able to view all logs.

https://wiki.splunk.com/Community:HowTo_Configure_Mac_OS_X_Syslog_To_Forward_Data

<6>Mar 19 10:46:05 catalinas-iMac diagnosticd[531]: New connection from peer 1663
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:
<5>Mar 19 10:46:05 catalinas-iMac analyticsd[162]:

Can anyone help on this ?

warren
  • 10,322
User G
  • 11

1 Answers1

0

In googling this exact question (ie forwarding syslog on macOS to a syslog collector), I see several other posts referencing the now-out-of-date Splunk wiki link

For example: https://community.spiceworks.com/topic/1860034-forwarding-syslog-from-mac-os-x-to-syslog-server

This post indicates that you need to look at /etc/asl.conf, as logging has changed in more-recent versions of macOS - https://www.unixtutorial.org/syslog-and-asl-in-macos

There's also this aging, Graylog-related question on Ask Different asking about how to collect macOS logs

The Apple manpage for asl is here: https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/asl.3.html

And now, it appears the Unified Logger has replaced ASL: https://community.splunk.com/t5/Archive/Mac-OS-X-Sierra-How-to-get-all-logs-from-the-Unified-Log/m-p/347695

Based on all of this, it would seem the current "best" way to get logs of macOS systems to some centralized source (be it a "traditional" syslog collector, Splunk, etc) is with a scripted process that runs-through what's been locally collected in the last X period (maybe e just since last run), and sends it on to wherever you want it to go

warren
  • 10,322