send messages: syslog -s [-r host]
|
also done by logger
Reading messages: syslog [-w] [-F format] expression
prune deprecated syslog -p expression
Filter Controls: syslog -c process [filter]
Sending and viewing log messages, pruning the contents of the system's log message data store, and for controlling the flow of log messages from processes.
-s send log messages to syslogd(8)
-l level set the log level (priority) of the message .
Emergency* (0) note counter-intuitiveEmergencyhas a level less thanDebug. Alert (1) Critical (2) Error* (3) Warning (4) Notice (5) Info (6) Debug (7)
accepts one or two leading characters for a level specification.
Use Em for Emergency and Er for Error).
syslog -s -l W "Cannot mount /dev/disk0s14"
-k followed by a list of keys and values. A structured message
will be sent to the syslogd server with keys and values as arguments.
A key or value with embedded white space must be enclosed in quotes.
-r host remote syslogd server
-help
With no arguments,
Custom format strings may include variables of the form
syslog -F '$Time $Host $(Sender)[$(PID)]: $Message'
produces output :
A simple expression is a list of one or more key/value pairs.
An simple expression matches a message if all of the key-value operations match.
The syslogd daemon will prune the data store after it
starts. See syslogd(8).
A daily pruning operation should be started by cron specified for Mac OSX 10.4 in
Reading messages
syslog -w
displays last 36 messages and waits for new messages, ( similar to watching a log file using:
tail -f /var/log/system.log
syslog displays all the messages in the data store with level < INFO.
note counter-intuitive Error has a level less than info.
(i.e. notices, warnings, errors, criticals, alerts and emergencies ).
-u UTC is used to display time stamps
-F format
std Standard (default) format. simlar to bsd, includes the message priority level
Sat Jul 10 18:29:24 smackerpro login[20636]
bsd Format used by the syslogd daemon for system log files, e.g. /var/log/system.log.
raw Prints the complete message structure. Each key/value pair is
enclosed in square brackets. Embedded closing brackets and white
space are escaped. Time stamps are printed using UTC.
[Time 1278800964] [Host smackerpro] [Sender login] [PID 20636] [UID 0] [GID 20] [Level 5] [Message USER_PROCESS: 20636 ttys006] [ASLMessageID 283631] [TimeNanoSec 683290000] [Facility com.apple.system.lastlog] [ut_user dgerman] [ut_id s006] [ut_line ttys006] [ut_pid 20636] [ut_type 7] [ut_tv.tv_sec 1278800964] [ut_tv.tv_usec 682818] [ASLExpireTime 1310423364]
[Time 1278801677] [Host smackerpro] [Sender Activity Monitor] [PID 209] [UID 501] [GID 20] [Level 3] [Message kCGErrorFailure: _CGSLockWindow: Cannot synchronize window backing surface] [ASLMessageID 283632] [TimeNanoSec 350398000] [Facility com.apple.coregraphics]
[Time 1278801677] [Host smackerpro] [Sender \[0x0-0xa00a\].com.apple.ActivityMonitor] [PID 209] [UID 501] [GID 20] [Level 5] [Message Sat Jul 10 18:41:17 smackerpro.germans Activity Monitor\[209\]
$Name (or
$(Name) if the variable is not delimited by whitespace) which will be
expanded to the associated with the named key. For example,
May 26 01:43:51 smacker Software Update[19720]: __choice_su_visible returned wrong type (())
May 26 14:56:10 localhost mDNSResponder-108.5 (May 9 2007 15[-1]: 08:01)[63]: starting
May 26 14:56:18 localhost DirectoryService[80]: Launched version 2.1 (v353.6)
May 26 14:56:22 localhost mDNSResponder[-1]: Adding browse domain local.
May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003
May 26 14:56:22 localhost configd[67]: initCardWithStoredPrefs failed.
May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003
-w an expression may be specified using -k and -o .
Expressions
Specify matching criteria when reading messages to filter for messages of interest.
For example, to find messages send by portmap :
syslog -k Sender portmap
-k A single argument matchs if a message has the specified key, regardless of value.
If a pair of arguments is specified, a match occurs
when a message has exactly the specified value for the key.
If three arguments are given, they are of the form
-k key operator valuekeys include: Time Sender Level Host Pid Message Facility
Case sensitive, i.e. sender does not work!
The operator may be preceded by:
A prefix S substring Z suffix
C case-fold
R regular expression (see regex(3))
N numeric comparison
operators include:
eq equal gt greater than lt less than
ne not equal ge greater than or equal to le less than or equal
The result is an AND of all of key-value operations.
syslog -k Message Seq "Could not"
syslog -k Sender com.apple.launchd -k Level ne Warning -o separates simple expressions and provides an OR operation.
If two or more simple expressions are given, separated by -o options,
then a match occurs is a message matches any of the simple expressions.
For example, to find all messages which have either a Sender value of
portmap or that have a numeric priority level of 4 or less:
syslog -k Sender portmap -o -k Level Nle 4
For matching time stamps:
An negative integer is the number of seconds before the
current time. For example, to find all messages of priority level 3
(error) or greater which were logged in the last 5 minutes ( 300 seconds):
syslog -k Level Ngt 3 -k Time ge -300
a relative time value may be optionally followed by
s, m, h, d, or w to specify seconds, minutes, hours,
days, or weeks. week is 7 complete days (i.e. 604800 seconds) i.e. not since Sunday.
An unsigned integer value is the number of seconds since epoch (i.e. 00:00:00 , January 1, 1970, Coordinated Universal Time.
PRUNING
The System Log facility saves received messages, subject to filtering criteria described in the FILTERING CONTROLS section, Pruning
is required to prevent unlimited growth of the data store.
-p must be followed by an expression, messages that match the expression are deleted.
/etc/periodic/daily/500.daily.
# Delete all messages after 7 days (-k Time lt -7d)
# Delete Warning (Level 4) and above after 3 days (-k Time lt -3d -k Level ge 4)
# Delete Info (Level 6) and above after 1 day (-k Time lt -1d -k Level ge 6)
syslog -p -k Time lt -7d -o -k Time lt -3d -k Level ge 4 -o -k Time lt -1d -k Level ge 6
FILTERING CONTROLS
Clients of the System Log facility using either the asl or
syslog interfaces may specify a log filter mask which specifies
which messages should be sent to syslogd by specifying a
yes/no setting for each priority level. Many clients set a filter mask
to avoid sending relatively unimportant messages. Debug or Info priority
level messages are generally only useful for debugging operations. By
setting a filter mask, a process can improve performance by avoiding
spending time sending messages that are in most cases unnecessary.
-c may be used to control filtering. In addition to the
internal filter value that processes may set as described above, the system maintains a global master filter.
This filter is normally off.
If a value is set for the master filter, it overrides the local filter for all processes.
Root is required to set the master filter value.
The current setting of the master filter mask may be inspected using:
syslog -c 0The value of the master filter mask is set by providing a second argument following
Master filter mask: Off
-c 0.p a c e w n i d. x may be used for Errorsyslog -c 0 offIt is common to use the filter as a
cutoff mechanism,
for example to cut off messages with Debug and Info priority, a single character
may be specified, preceded by a minus sign. In this
case, syslog uses a filter mask starting at level 0 (Emergency) up to
the given level. For example, to set the master filter level to cause
all processes to log messages from Emergency up to Debug:
syslog -c 0 -dThe master filter level is used to control the messages produced by all processes.
Another filter mask is specified for an individual
process. If a per-process filter mask is set, it overrides both the
local filter mask and the master filter mask. The current setting for a
per-process filter mask is inspected using -c process, where process
is either a PID or the name of a process. If a name is used, it must
uniquely identify a process. To set a per-process filter mask, an second
argument may be supplied following -c process as described above for the
master filter mask. Root access is required to set the per-process fil ter mask for system (UID 0) processes.
The filtering described above takes place in the client library to determine which messages are sent to the syslogd daemon. The daemon also contains a filter which determines which messages are saved in the data store.
The default data store filter mask saves messages with priority levels from Emergency to Notice (level 0 to 5). The level may be inspected using:
syslog -c syslogdTo set the data store filter mask, a second argument is supplied following -c syslog as described above. For example, to save messages with priority level Error or less in the data store:
syslog -c syslog -eSee syslogd(8), logger, asl(AppleSystemLogger), syslog(3), BalaBit syslog-ng (new generation) filters not only facility.level, txt | database, TCP|UDP
Mac OS X October 18, 2004
com.apple.syslogd.plist
This is no longer located here!
From /System/Library/LaunchDaemons/plist
key:Label='com.apple.syslogd' key:OnDemand=False key:ProgramArguments=( '/usr/sbin/syslogd') key:MachServices=[ key:com.apple.system.logger=True] key:Sockets=[ key:AppleSystemLogger=[ key:SockPathName='/var/run/asl_input' key:SockPathMode=438] key:BSDSystemLogger= [ key:SockPathName='/var/run/syslog' key:SockType='dgram' key:SockPathMode=438 ] ] ]
Made true HTML and terse by Dennis German