Max OS X version


-ssend a message. Also done by logger

-r host
-l level message
-k key val [key val] …
[-w] [-F format] expression Reading messages

-p deprecated prune

Filter Controls: syslog -c process [filter]

Sending and viewing log messages, pruning the contents of the system's log message data store, and for controlling the flow of log messages from processes.

-s send log messages to syslogd(8)

-l level set the log level (priority) of the message 1-7 or A, alert

    Emergency* (0)       note counter-intuitive Emergency has a level less than Debug.
    Alert      (1)
    Critical   (2)       
    Error     (3)
    Warning    (4)       
    Notice     (5)       
    Info       (6)     
    Debug      (7) 

accepts one or two leading characters for a level specification.
Use Em for Emergency and Er for Error).

syslog -s -l Er "Cannot mount /dev/disk0s14"
produces entry:(as displayed by kiwi )
2012-03-30 21:33:24 Kernel.Emerg smackerPro.germans syslog[71032]:Cannot mount /dev/disk0s14
syslog -s -r -l Em -k Facility eq mail "sent trhough LAN -l Em"
produces entry:(as displayed by kiwi )
O2012-03-30 21:51:12 Local7.Debug smackerPro.germans 107 [Sender syslog] [Level 0] [Facility eq] [mail sent trhough LAN -l Em] [Time 1333158663] [Host smackerPro]<000>

-k followed by a list of keys and values. A structured message will be sent to the syslogd server with keys and values as arguments. A key or value with embedded white space must be enclosed in quotes.

-r host remote syslogd server


Reading messages

syslog -w
displays last 36 messages and waits for new messages, ( similar to watching a log file using: tail -f /var/log/system.log

With no arguments, syslog displays all the messages in the data store with level < INFO.
note counter-intuitive Error has a level less than info.
(i.e. notices, warnings, errors, criticals, alerts and emergencies ).

-u UTC is used to display time stamps

-F format

Custom format strings may include variables of the form $Name (or $(Name) if the variable is not delimited by whitespace) which will be expanded to the associated with the named key. For example,

syslog -F '$Time $Host $(Sender)[$(PID)]: $Message'

produces output :

          May 26 01:43:51 smacker Software Update[19720]: __choice_su_visible returned wrong type (())
          May 26 14:56:10 localhost mDNSResponder-108.5 (May  9 2007 15[-1]: 08:01)[63]: starting
          May 26 14:56:18 localhost DirectoryService[80]: Launched version 2.1 (v353.6)
          May 26 14:56:22 localhost mDNSResponder[-1]: Adding browse domain local.
          May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003
          May 26 14:56:22 localhost configd[67]: initCardWithStoredPrefs failed.
          May 26 14:56:22 localhost configd[67]: WirelessConfigure: 88001003 

-w an expression may be specified using -k and -o .


Specify matching criteria when reading messages to filter for messages of interest.

A simple expression is a list of one or more key/value pairs.

keys include: Time Sender Level Host Pid Message Facility (Case sensitive, i.e. sender does not work!)
operators include:
eq  equal gt greater than lt less than
ne not equal    ge  greater than or equal to   le  less than or equal
 The operator may be preceded by:
A prefix S substring Z suffix
C case-fold
R regular expression (see regex(3))
N numeric comparison

For example, to find messages send by portmap :

syslog -k Sender portmap
Messages containing could not:
syslog -k Message Seq "Could not"

Multiple simple expressions match a message if all of the key-value operations match, i.e. AND of all of key-value operations.

 syslog -k Sender      -k Level ne Warning

-o separates simple expressions and provides an OR operation.

To find all messages which have either a Sender portmap or that have a numeric priority level of 4 or less:

syslog -k Sender portmap    -o    -k Level Nle 4
For matching time stamps: An negative integer is the number of seconds before the current time.
To find all messages of priority level 3 (error) or greater which were logged in the last 5 minutes ( 300 seconds):
syslog -k Level Ngt 3 -k Time ge -300
a relative time value may be optionally followed by s, m, h, d, or w to specify seconds, minutes, hours, days, or weeks. week is 7 complete days (i.e. 604800 seconds) i.e. not since Sunday.
An unsigned integer value is the number of seconds since epoch (i.e. 00:00:00 , January 1, 1970, Coordinated Universal Time.

Filtering Controls

Clients of the "System Log Facility" (using either the asl or syslog interfaces) may specify a log filter mask which specifies which messages should be sent to syslogd, a yes/no for each priority level.

-c controls filtering.

In addition to the client filter there is a global master filter which is off by default.
A value is set for the master filter, overrides the local filter for all processes. Root is required to set the master filter .

To display the setting of the master filter mask:

syslog -c 0
Master filter mask: Off
The value of the master filter mask is set by providing a second argument following -c 0.
p Panic(Emergency) , a Alert, c Critical, E or x Error, w Warning, n Notice, i Info, and dDebug.
The master filter may be unset with:
syslog -c 0 off
preceded by a minus sign starting at level 0 (Emergency) up to the given level.
To disable Debug and Info messages , To set the master filter level to cause all processes to log messages from Emergency up to Debug:
syslog -c 0 -d
The master filter level is used to control the messages produced by all processes.

Another filter mask is specified for an individual process. If a per-process filter mask is set, it overrides both the local filter mask and the master filter mask. The current setting for a per-process filter mask is inspected using -c process, where process is either a PID or the name of a process. If a name is used, it must uniquely identify a process. To set a per-process filter mask, an second argument may be supplied following -c process as described above for the master filter mask. Root access is required to set the per-process fil ter mask for system (UID 0) processes.

The filtering described above takes place in the client library to determine which messages are sent to the syslogd daemon. The daemon also contains a filter which determines which messages are saved in the data store.

The default data store filter mask saves messages with priority levels from Emergency to Notice (level 0 to 5). The level may be inspected using:

syslog -c syslogd
To set the data store filter mask, a second argument is supplied following -c syslog as described above. For example, to save messages with priority level Error or less in the data store:
syslog -c syslog -e

seems to be deprecated (DGG)


The System Log facility saves received messages, subject to filtering criteria described in the FILTERING CONTROLS section, Pruning is required to prevent unlimited growth of the data store.

The syslogd daemon will prune the data store after it starts. See syslogd(8).

-p must be followed by an expression, messages that match the expression are deleted.

A daily pruning operation should be started by cron specified for Mac OSX 10.4 in /etc/periodic/daily/500.daily.

# Delete all messages after 7 days (-k Time lt -7d)
# Delete Warning (Level 4) and above after 3 days (-k Time lt -3d -k Level ge 4)
# Delete Info (Level 6) and above after 1 day (-k Time lt -1d -k Level ge 6)
syslog -p  -k Time lt -7d  -o  -k Time lt -3d -k Level ge 4  -o  -k Time lt -1d -k Level ge 6
See newsyslog
See newsyslog used by OSX mopuntain lion to maintain system log files to manageable sizes.
logger, asl(AppleSystemLogger), syslog(3),
syslogd, aslmanager BalaBit syslog-ng (new generation) filters not only facility.level, txt | database, TCP|UDP
Simple log watcher takes action on matching event.
Apple System Log server (ASL) deamon Mac OS X October 18, 2004

From /System/Library/LaunchDaemons 5/20/13

    LowPriorityIO: true
    Nice 1
    StartCalendarInterval:Minute 30

reformatted by ed
/System/Library/LaunchDaemons > plutil  -p
  Label =>
  JetsamProperties => { JetsamPriority => -49 JetsamMemoryLimit => 300 }
  EnvironmentVariables => { ASL_DISABLE => 1 }
  MachServices => { => { ResetAtClose => 1 } }
  EnableTransactions => 1
  ProgramArguments => [ 0 => /usr/sbin/syslogd ]
  Sockets => { AppleSystemLogger => { SockPathName => /var/run/asl_input SockPathMode => 438 }
               BSDSystemLogger   => { SockPathName => /var/run/syslog SockType => dgram SockPathMode => 438 }
  HopefullyExitsLast => 1
  OnDemand => 0

Made true HTML and terse by Dennis German