documentation icon indicating copy to clipboard operation
documentation copied to clipboard

Published 20 hours ago verified publisher icon Graylog2

Update syslog chapter for macOS Sierra

Open alexpts opened this issue 7 years ago • 10 comments

MacOS siera not used /etc/syslog.conf.

For masOS Siera need configure file /etc/asl.conf

Need update docs or add new paragraph for macOS

alexpts avatar Mar 07 '17 06:03 alexpts

do you mean that this page should be updated?

http://docs.graylog.org/en/2.2/pages/sending_data.html

We would like to merge a PR that include the given information from your end.

jalogisch avatar Mar 07 '17 07:03 jalogisch

Yes! I do not know what need to add to /etc/asl.conf

Current doc doesn`t work for masOS siera.

alexpts avatar Mar 07 '17 07:03 alexpts

@alexpts Apple introduced "Unified Logging" in macOS Sierra, see https://developer.apple.com/library/prerelease/content/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html#//apple_ref/doc/uid/TP40017145-DontLinkElementID_73 for details.

We currently don't have the capacity to update the documentation, but if you know how to set up remote logging in macOS Sierra, please create a pull request for it.

joschi avatar Mar 07 '17 08:03 joschi

@mevans845 Any contribution is welcome! 👍

joschi avatar Jul 11 '18 06:07 joschi

Sadly, it looks like all versions of macOS with Unified Logging, including Sierra, High Sierra, and Mojave, don't support any practical method for centralized logging. Well summarized in these 2 articles:

https://eclecticlight.co/2018/03/21/macos-unified-log-3-finding-your-way/ https://eclecticlight.co/2018/06/08/the-unified-log-in-macos-mojave-signposts-and-instruments/

Edit: from the first article, you might be able to use log stream, but that would be inelegant to say the least.

jabenninghoff avatar Jul 12 '18 04:07 jabenninghoff

@jabenninghoff @mevans845 I could imagine using log stream --style json and some kind of log shipper akin to Filebeat for shipping the messages to Graylog.

joschi avatar Jul 12 '18 07:07 joschi

I am interested to see what approach you take on this! 👍

loceee avatar Jul 26 '18 01:07 loceee

I added a line into /etc/syslog.conf which works sending it towards debian syslog server

Will this survive a restart or upgrade?

xq1xq1xq1 avatar Aug 18 '18 15:08 xq1xq1xq1

@xq1xq1xq1 It will survive a restart but not an upgrade.

Hey folks, I work at Papertrail and this is a problem we've been trying to solve, too, with little success. The closest I've been able to come with Unified Logging is to run something that can consume STDOUT from log stream, manipulate it, and forward it. NXLog has been fine so far, in the relay department, but I haven't managed to work on a transformer that will massage the incoming lines effectively. Some entries from log stream are multi-line. even with --style set to either syslog or son, not all events seem to adhere to that argument.

I'm almost ready to say sending Unified logs to a remote location is a lost cause given how much effort Apple has put into keeping the logs within their ecosystem.

johlym avatar Aug 24 '18 01:08 johlym

@johlym thank you for the update. If some kind of own tool would be provided it would be fine - but to have everything designed against modern infrastructure managment is not the best move.

I guess it would be time to start to write a beat that collects the logs and send it to the central. Same as happened to the journald beat.

Maybe this can help: http://support.loomsystems.com/sources/streaming-logs-from-mac-using-filebeat

jalogisch avatar Aug 28 '18 08:08 jalogisch