hi ken, -- On Friday, July 16, 2004 4:02 PM -0400 Ken Toney <ktoney@tiff.org> wrote:
I haven't gotten syslog-ng installed on OS X 10.3.4 yet, but can share with you some resources I have for information. You might try reading
I'd be happy to share my conf file with you once I get syslog-ng running, but I am one step behind you. I am trying to install syslog-ng 1.6.4 on OS X 10.3.4 and can't. Did you run into any problems installing syslog-ng? I'd be happy to share my conf file with you once I get syslog-ng running, but I am one step behind you. I am trying to install syslog-ng 1.6.4 on OS X 10.3.4 and can't. Did you run into any problems installing syslog-ng?
i've got it all working now for local & remote logging ... here are my build notes ... not pretty, but hey ;-) hope this is helpful! richard ======================================== 1st, my env particulars ... % /usr/local/ssl/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 % uname -v Darwin Kernel Version 7.4.0: Wed May 12 16:58:24 PDT 2004; root:xnu/xnu-517.7.7.obj~7/RELEASE_PPC % glibtool --version ltmain.sh (GNU libtool) 1.5.6 (1.1220.2.94 2004/04/10 16:27:27) % automake --version automake (GNU automake) 1.8.5 % autoconf --version autoconf (GNU Autoconf) 2.59 , and, BIND 9.2.3 in /usr/local/bind9 ################################################################## libol wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.13.tar.gz gnutar zxf libol-0.3.13.tar.gz unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS cd /usr/ports/libol-0.3.13 glibtoolize --force --copy ;\ aclocal ;\ autoconf ./configure \ --prefix=/usr/local make make install ################################################################## syslog-ng wget http://www.balabit.com/downloads/syslog-ng/1.6/src-snapshot/syslog-ng-1.6.4+... gnutar zxvf syslog-ng-1.6.4+20040714.tar.gz mv syslog-ng-1.6.4+20040714 syslog-ng cd /usr/ports/syslog-ng unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS ;\ setenv LDFLAGS "-bind_at_load -L/usr/local/bind9/lib -llwres -lbind" ;\ setenv CPPFLAGS "-I/usr/local/bind9/include" ./configure \ --prefix=/usr/local \ --enable-debug \ --enable-tcp-wrapper make make install now, set up the Mac startup items; i kill syslogd, then replace with syslog-ng. note: this *could* be done, instead, by mod-ing /etc/rc, where syslog is originally launched, but i haven't yet convinced myself the boot/startup process does NOT need original syslogd (pending question) ... ################################################################## mkdir -p /Library/StartupItems/SyslogNG ================================================== (EDITOR) /Library/StartupItems/SyslogNG/SyslogNG #!/bin/sh ## # SyslogNG StartupItem # # rather than . /etc/rc.common # [ -f /etc/hostconfig ] && . /etc/hostconfig RunService () { case $1 in start ) StartService ;; stop ) StopService ;; restart) RestartService ;; * ) echo "$0: unknown argument: $1";; esac } ## # SyslogNG StartupItem Handlers ## StartService () { if [ "${SYSLOGNG:=-NO-}" = "-YES-" ]; then ConsoleMessage "Stopping SYSLOGD server" sleep 2 killall syslogd ConsoleMessage "Starting SYSLOG-NG Logging Server" /usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslog-ng.pid fi } StopService () { if [ -f "/var/run/syslog-ng.pid" ] ; then ConsoleMessage "Stopping SYSLOG-NG server" sleep 2 kill -9 `cat /var/run/syslog-ng.pid` fi } RestartService () { StopService StartService } RunService "$1" ================================================================= ================================================== (EDITOR) /Library/StartupItems/SyslogNG/StartupParameters.plist { Description = "SyslogNG"; Provides = ("SyslogNG"); Requires = ("Resolver","Network Time","Disks"); Uses = ("Network"); OrderPreference = "None"; Messages = { start = "Starting SyslogNG"; stop = "Stopping SyslogNG"; }; } ================================================== chown -R root:wheel /Library/StartupItems/SyslogNG ;\ chmod 755 /Library/StartupItems/SyslogNG ;\ chmod 755 /Library/StartupItems/SyslogNG/SyslogNG ;\ chmod 644 /Library/StartupItems/SyslogNG/StartupParameters.plist don't forget ... ================================================== (EDITOR) /etc/hostconfig +++ SYSLOGNG-YES- ================================================== here's a working conf file: ================================================== (EDITOR)/etc/syslog-ng/syslog-ng.conf ############################################################### ## "/etc/syslog-ng/syslog-ng.conf" -- config file for syslog-ng ############################################################### # FACILITY & LEVEL mappings from /usr/include/sys/syslog.h # FACILITIES: # auth : security/authorization messages # authpriv : security/authorization messages (private) # cron : clock daemon # daemon : system daemons # ftp : ftp daemon # kern : kernel messages # lpr : line printer subsystem # mail : mail system # netinfo : netinfo # news : network news subsystem # remoteauth : remote authentication/authorization # syslog : messages generated internally by syslogd # user : random user-level messages # uucp : uucp subsystem # /* reserved for local use */ # local0, local1, local2, local3, local4, local5, local6, local7 # LEVELS: (highest to lowest priority ...) # .emerg : A panic condition. This is normally broadcast to all users. # .alert : A condition that should be corrected immediately, such as a corrupted system database. # .crit : Critical conditions, e.g., hard device errors. # .err : Errors. # .warning : Warning messages. # .notice : Conditions that are not error conditions, but should possibly be handled specially. # .info : Informational messages. # .debug : Messages that contain information normally of use only when debugging a program. ####################### ## Global Options # options { use_fqdn(no); use_dns(yes); # dns_cache(yes); keep_hostname(yes); long_hostnames(off); sync(1); log_fifo_size(1024); }; ####################### ## Source Configs # source src_local { unix-dgram("/var/run/syslog" group("daemon") owner("root")); internal(); pipe("/dev/klog" log_prefix("kernel: ")); udp(ip("127.0.0.1") port(514)); }; source src_linksys { unix-dgram("/var/run/syslog" group("daemon") owner("root")); internal(); udp(ip("10.0.0.6") port(514)); }; ####################### ## Log Destinations # ## by service destination console { usertty("root"); }; destination install { file("/var/log/syslog-ng/install.log" group("admin") owner("root") perm(0640) ); }; destination system { file("/var/log/syslog-ng/system.log" group("admin") owner("root") perm(0640) ); }; destination secure { file("/var/log/syslog-ng/secure.log" group("admin") owner("root") perm(0640) ); }; destination netinfo { file("/var/log/syslog-ng/netinfo.log" group("admin") owner("root") perm(0640) ); }; destination kernel { file("/var/log/syslog-ng/kernel.log" group("admin") owner("root") perm(0640) ); }; destination mail { file("/var/log/syslog-ng/mail.log" group("admin") owner("root") perm(0640) ); }; destination ftp { file("/var/log/syslog-ng/ftp.log" group("admin") owner("root") perm(0640)); }; destination lpr { file("/var/log/syslog-ng/lpr.log" group("admin") owner("root") perm(0640)); }; destination cron { file("/var/log/syslog-ng/cron.log" group("admin") owner("root") perm(0640) ); }; destination linksys { file("/var/log/syslog-ng/linksys.log" group("admin") owner("root") perm(0640) ); }; ####################### ## Facility Filters # filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_ftp { facility(ftp); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; #filter f_netinfo { facility(netinfo); }; filter f_news { facility(news); }; #filter f_remoteauth { facility(remoteauth); }; filter f_syslog { not facility(authpriv, mail); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; filter f_local0 { facility(local0); }; filter f_local1 { facility(local1); }; filter f_local2 { facility(local2); }; filter f_local3 { facility(local3); }; filter f_local4 { facility(local4); }; filter f_local5 { facility(local5); }; filter f_local6 { facility(local6); }; filter f_local7 { facility(local7); }; ####################### ## Level Filters # filter f_emerg { level(emerg); }; filter f_alert { level(alert); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_warning { level(warning); }; filter f_notice { level(notice); }; filter f_info { level(info); }; filter f_debug { level(debug); }; ####################### ## Log Policies # #filter f_debug { not facility(auth, authpriv, news, mail); }; #filter f_messages { level(info..warn) # and not facility(auth, authpriv, mail, news); }; ## local # log { source(src_local); filter(f_authpriv); destination(secure); }; log { source(src_local); filter(f_syslog); destination(system); }; log { source(src_local); filter(f_cron); destination(cron); }; log { source(src_local); filter(f_daemon); destination(kernel); }; log { source(src_local); filter(f_kern); destination(kernel); }; log { source(src_local); filter(f_lpr); destination(lpr); }; log { source(src_local); filter(f_mail); destination(mail); }; log { source(src_local); filter(f_emerg); destination(console); }; #log { source(src_local); destination(console_all); }; ## linksys # log { source(src_linksys); filter(f_user); destination(linksys); }; ===================================================================== ############################################################# i then use 'logrotate' to manage/rotate all the logs as desired ... just fyi, some additional reading i haven't gotten to: sending apache logs to syslog-ng https://lists.balabit.hu/pipermail/syslog-ng/2001-February/001208.html advanced log processing http://www.securityfocus.com/infocus/1613 getting syslog-ng into postgresql https://lists.balabit.hu/pipermail/syslog-ng/2002-April/003249.html http://www.kdough.net/docs/syslog_postgresql/ Linksys Log Analysis tool? http://forums.macosxhints.com/archive/index.php/t-9090