Wednesday, March 09, 2022
Notes on syslog support from Mac OS 11.6.4
Yes,
I know,
Mac OS-X 11.6.4 is more than 20 minutes old.
Shut up!
Anyway,
a bit more about syslog() support on Macs.
Our components
(like Project: Lumbergh)
compile on Macs.
We do initial testing on Macs.
Also,
our components use syslog().
And it's not like Mac OS-X has dropped syslog() entirely—our code still compiles.
But syslog() isn't quite working as I expect it to work.
When I run tests,
I monitor the logs in real time—I've configured both my Macs
(the older one, and Belial, the annoying Mac Laptop) to forward syslog messages to a central server,
which I can then monitor in real time based using my syslogd replacement
(I should probably go into detail about how that works,
but that's beyond the scope of this entry).
Yes, I am seeing messages show up:
Mar 09 18:27:20 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstrap mode Mar 09 18:27:20 user notice 192.168.1.105 com.apple.xpc.launchd exiting bootstrap mode Mar 09 18:27:20 user warn 192.168.1.105 com.apple.xpc.launchd Service exited with abnormal code: 254 Mar 09 18:27:26 daemon notice 192.168.1.105 aciseagentd Function: loadXMLCfgFile Thread Id: 0x2E77D40 File: ConfigData.cpp Line: 46 Level: warn :: ISEPostureCFG.xml not found, using defaults Mar 09 18:27:26 daemon notice 192.168.1.105 aciseagentd Function: GetConfigData Thread Id: 0x2E77D40 File: ConfigData.cpp Line: 220 Level: warn :: The cfg parameter for numeric value VlanDetectInterval was invalid. Using default. (XML was ) Mar 09 18:27:40 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstrap mode Mar 09 18:27:40 user notice 192.168.1.105 com.apple.xpc.launchd exiting bootstrap mode Mar 09 18:27:40 user warn 192.168.1.105 com.apple.xpc.launchd Service exited with abnormal code: 254 Mar 09 18:27:46 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:27:50 user notice 192.168.1.105 com.apple.xpc.launchd Service exited due to SIGKILL | sent by mds[316] Mar 09 18:28:00 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstrap mode Mar 09 18:28:00 user notice 192.168.1.105 com.apple.xpc.launchd exiting bootstrap mode Mar 09 18:28:00 user warn 192.168.1.105 com.apple.xpc.launchd Service exited with abnormal code: 254 Mar 09 18:28:20 user notice 192.168.1.105 com.apple.xpc.launchd entering bootstr
So the syslogd forwarding is working
(although I'm not sure which service exited due to SIGKILL since that information isn't logged,
but whatever,
I'm getting logs forwarded by syslogd on Belial).
But when I run our stuff?
Nothing comes through.
This code comples and runs:
#include <stdio.h>
#include <syslog.h>
int main(void)
{
for (int pri = 0 ; pri < 8 ; pri++)
syslog(pri,"This is a test %d",pri);
return 0;
}
But I'm not seeing the logs being forwarded.
And even when I edited /etc/syslog.conf to read:
# Note that flat file logs are now configured in /etc/asl.conf install.* @127.0.0.1:32376 *.* @192.168.1.10 *.* /tmp/log-all-the-things.txt
The /tmp/log-all-the-things.txt file wasn't even created!
There are messages being forwarded to 192.168.1.10,
but aside from that,
it's as if everything else in this file is being ignored.
After some searching,
I did find about about the log program.
I ran log stream –process syslogt in one window,
then my test program syslogt in another,
and behold:
[sconner]belial:~>log stream --process syslogt Filtering the log data using "process BEGINSWITH[cd] "syslogt"" Timestamp Thread Type Activity PID TTL 2022-03-09 18:28:16.110052-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 0 2022-03-09 18:28:16.110914-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 1 2022-03-09 18:28:16.110943-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 2 2022-03-09 18:28:16.110965-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 3 2022-03-09 18:28:16.110986-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 4 2022-03-09 18:28:16.111005-0500 0x3513e Default 0x0 19313 0 syslogt: This is a test 5
Logs!
Only … not all of them.
syslog() supports eight levels of logging,
yet this only shows six.
The final two,
levels LOG_INFO and LOG_DEBUG aren't logged!
Even editing the /etc/asl.conf file to read:
# save everything from emergency tonoticeDEBUG ? [<= Level debug] store
Doesn't help.
Levels LOG_INFO and LOG_DEBUG are simply dropped.
And guess what level most of our logs are at?
XXXX you, Apple!
![[The future's so bright, I gotta wear shades]](https://www.conman.org/people/spc/about/2023/1023.t.jpg "The future's so bright, I gotta wear shades")