[syslog-ng]success: syslog-ng on OSX 10.3.4

OpenMacNews syslog-ng@lists.balabit.hu
Fri, 16 Jul 2004 13:28:38 -0700


hi ken,

-- On Friday, July 16, 2004 4:02 PM -0400  Ken Toney <ktoney@tiff.org> wrote:
> I haven't gotten syslog-ng installed on OS X 10.3.4 yet, but can share with you some resources I have for information. You might try reading

> I'd be happy to share my conf file with you once I get syslog-ng running, but I am one step behind you. I am trying to install syslog-ng 1.6.4 on OS X 10.3.4 and can't. Did you run into any problems installing syslog-ng?
> I'd be happy to share my conf file with you once I get syslog-ng running, but I am one step behind you. I am trying to install syslog-ng 1.6.4 on OS X 10.3.4 and can't. Did you run into any problems installing syslog-ng?

i've got it all working now for local & remote logging ...

here are my build notes ... not pretty, but hey ;-)

hope this is helpful!

richard

========================================

1st, my env particulars ...

	% /usr/local/ssl/bin/openssl version
		OpenSSL 0.9.7d 17 Mar 2004
	% uname -v
		Darwin Kernel Version 7.4.0: Wed May 12 16:58:24 PDT 2004; root:xnu/xnu-517.7.7.obj~7/RELEASE_PPC
	% glibtool --version
		ltmain.sh (GNU libtool) 1.5.6 (1.1220.2.94 2004/04/10 16:27:27)
	% automake --version
		automake (GNU automake) 1.8.5
	% autoconf --version
		autoconf (GNU Autoconf) 2.59
	, and, BIND 9.2.3 in /usr/local/bind9


##################################################################
libol
wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.13.tar.gz

gnutar zxf libol-0.3.13.tar.gz

unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS

cd /usr/ports/libol-0.3.13

glibtoolize --force --copy ;\
aclocal ;\
autoconf

./configure \
--prefix=/usr/local

make

make install


##################################################################
syslog-ng
wget http://www.balabit.com/downloads/syslog-ng/1.6/src-snapshot/syslog-ng-1.6.4+20040714.tar.gz

gnutar zxvf syslog-ng-1.6.4+20040714.tar.gz
mv syslog-ng-1.6.4+20040714 syslog-ng
cd /usr/ports/syslog-ng

unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS ;\
setenv LDFLAGS "-bind_at_load -L/usr/local/bind9/lib -llwres -lbind" ;\
setenv CPPFLAGS "-I/usr/local/bind9/include"

./configure \
--prefix=/usr/local \
--enable-debug \
--enable-tcp-wrapper

make
make install



now, set up the Mac startup items; i kill syslogd, then replace with syslog-ng.

note: this *could* be done, instead, by mod-ing /etc/rc, where syslog is originally launched, but i haven't yet convinced myself the boot/startup process does NOT need original syslogd (pending question) ...


##################################################################
mkdir -p /Library/StartupItems/SyslogNG
==================================================
(EDITOR) /Library/StartupItems/SyslogNG/SyslogNG
#!/bin/sh

##
# SyslogNG StartupItem
#

# rather than
. /etc/rc.common
# [ -f /etc/hostconfig ] && . /etc/hostconfig

RunService ()
{
	case $1 in
		start  ) StartService   ;;
		stop   ) StopService    ;;
		restart) RestartService ;;
		*      ) echo "$0: unknown argument: $1";;
	esac
}

##
# SyslogNG StartupItem Handlers
##

StartService ()
{
	if [ "${SYSLOGNG:=-NO-}" = "-YES-" ]; then
			ConsoleMessage "Stopping SYSLOGD server"
			sleep 2
			killall syslogd
		ConsoleMessage "Starting SYSLOG-NG Logging Server"
		/usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslog-ng.pid
	fi
}

StopService ()
{
	if [ -f "/var/run/syslog-ng.pid" ] ; then
		ConsoleMessage "Stopping SYSLOG-NG server"
		sleep 2
		kill -9 `cat /var/run/syslog-ng.pid`
	fi
}

RestartService ()
{
	StopService
	StartService
}

RunService "$1"
=================================================================

==================================================
(EDITOR) /Library/StartupItems/SyslogNG/StartupParameters.plist
{
  Description     = "SyslogNG";
  Provides        = ("SyslogNG");
  Requires        = ("Resolver","Network Time","Disks");
  Uses            = ("Network");
  OrderPreference = "None";
  Messages =
  {
    start = "Starting SyslogNG";
    stop  = "Stopping SyslogNG";
  };
}
==================================================

chown -R root:wheel /Library/StartupItems/SyslogNG ;\
chmod 755 /Library/StartupItems/SyslogNG ;\
chmod 755 /Library/StartupItems/SyslogNG/SyslogNG ;\
chmod 644 /Library/StartupItems/SyslogNG/StartupParameters.plist


don't forget ...
==================================================
(EDITOR) /etc/hostconfig
+++	SYSLOGNG-YES-
==================================================




here's a working conf file:

==================================================
(EDITOR)/etc/syslog-ng/syslog-ng.conf

###############################################################
## "/etc/syslog-ng/syslog-ng.conf" -- config file for syslog-ng


###############################################################
# FACILITY & LEVEL mappings from /usr/include/sys/syslog.h

# FACILITIES:
#       auth            : security/authorization messages
#       authpriv        : security/authorization messages (private)
#       cron            : clock daemon
#       daemon          : system daemons
#       ftp                     : ftp daemon
#       kern            : kernel messages
#       lpr                     : line printer subsystem
#       mail            : mail system
#       netinfo         : netinfo
#       news            : network news subsystem
#       remoteauth      : remote authentication/authorization
#       syslog          : messages generated internally by syslogd
#       user            : random user-level messages
#       uucp            : uucp subsystem

# /* reserved for local use */
#       local0, local1, local2, local3, local4, local5, local6, local7

# LEVELS: (highest to lowest priority ...)
#       .emerg          : A panic condition.  This is normally broadcast to all users.
#       .alert          : A condition that should be corrected immediately, such as a corrupted system database.
#       .crit           : Critical conditions, e.g., hard device errors.
#       .err            : Errors.
#       .warning        : Warning messages.
#       .notice         : Conditions that are not error conditions, but should possibly be handled specially.
#       .info           : Informational messages.
#       .debug          : Messages that contain information normally of use only when debugging a program.


#######################
## Global Options
#

options {
        use_fqdn(no);
        use_dns(yes);
#       dns_cache(yes);
        keep_hostname(yes);
        long_hostnames(off);
        sync(1);
        log_fifo_size(1024);
};

#######################
## Source Configs
#

source src_local {
        unix-dgram("/var/run/syslog" group("daemon") owner("root"));
        internal();
        pipe("/dev/klog" log_prefix("kernel: "));
        udp(ip("127.0.0.1") port(514));
};

source src_linksys {
        unix-dgram("/var/run/syslog" group("daemon") owner("root"));
        internal();
        udp(ip("10.0.0.6") port(514));
};

#######################
## Log Destinations
#

## by service
destination console             { usertty("root"); };
destination install             { file("/var/log/syslog-ng/install.log" group("admin") owner("root") perm(0640) );     };
destination system              { file("/var/log/syslog-ng/system.log"  group("admin") owner("root") perm(0640) );     };
destination secure              { file("/var/log/syslog-ng/secure.log"  group("admin") owner("root") perm(0640) );     };

destination netinfo             { file("/var/log/syslog-ng/netinfo.log" group("admin") owner("root") perm(0640) );     };
destination kernel              { file("/var/log/syslog-ng/kernel.log"  group("admin") owner("root") perm(0640) );     };
destination mail                { file("/var/log/syslog-ng/mail.log"    group("admin") owner("root") perm(0640) );     };
destination ftp                 { file("/var/log/syslog-ng/ftp.log"             group("admin") owner("root") perm(0640));       };
destination lpr                 { file("/var/log/syslog-ng/lpr.log"             group("admin") owner("root") perm(0640));       };

destination cron                { file("/var/log/syslog-ng/cron.log"    group("admin") owner("root") perm(0640) );     };

destination linksys             { file("/var/log/syslog-ng/linksys.log" group("admin") owner("root") perm(0640) );     };

#######################
## Facility Filters
#

filter f_auth           { facility(auth);               };
filter f_authpriv       { facility(auth, authpriv);     };
filter f_cron           { facility(cron);               };
filter f_daemon         { facility(daemon);             };
filter f_ftp            { facility(ftp);                };
filter f_kern           { facility(kern);               };
filter f_lpr            { facility(lpr);                };
filter f_mail           { facility(mail);               };
#filter f_netinfo       { facility(netinfo);    };
filter f_news           { facility(news);               };
#filter f_remoteauth    { facility(remoteauth); };
filter f_syslog         { not facility(authpriv, mail);         };
filter f_user           { facility(user);               };
filter f_uucp           { facility(uucp);               };
filter f_local0         { facility(local0);             };
filter f_local1         { facility(local1);             };
filter f_local2         { facility(local2);             };
filter f_local3         { facility(local3);             };
filter f_local4         { facility(local4);             };
filter f_local5         { facility(local5);             };
filter f_local6         { facility(local6);             };
filter f_local7         { facility(local7);             };

#######################
## Level Filters
#

filter f_emerg          { level(emerg);                 };
filter f_alert          { level(alert);                 };
filter f_crit           { level(crit);                  };
filter f_err            { level(err);                   };
filter f_warning        { level(warning);               };
filter f_notice         { level(notice);                };
filter f_info           { level(info);                  };
filter f_debug          { level(debug);                 };


#######################
## Log Policies
#

#filter f_debug         { not facility(auth, authpriv, news, mail); };
#filter f_messages      { level(info..warn)
#                                               and not facility(auth, authpriv, mail, news); };


## local
#
        log { source(src_local);        filter(f_authpriv);     destination(secure); };
        log { source(src_local);        filter(f_syslog);       destination(system); };
        log { source(src_local);        filter(f_cron);         destination(cron); };
        log { source(src_local);        filter(f_daemon);       destination(kernel); };
        log { source(src_local);        filter(f_kern);         destination(kernel); };
        log { source(src_local);        filter(f_lpr);          destination(lpr); };
        log { source(src_local);        filter(f_mail);         destination(mail); };
        log { source(src_local);        filter(f_emerg);        destination(console); };
        #log { source(src_local); destination(console_all); };

## linksys
#
        log { source(src_linksys);      filter(f_user);         destination(linksys); };
=====================================================================

#############################################################

i then use 'logrotate' to manage/rotate all the logs as desired ...


just fyi, some additional reading i haven't gotten to:

	sending apache logs to syslog-ng
		https://lists.balabit.hu/pipermail/syslog-ng/2001-February/001208.html
	
	advanced log processing
		http://www.securityfocus.com/infocus/1613
	
	
	getting syslog-ng into postgresql
		https://lists.balabit.hu/pipermail/syslog-ng/2002-April/003249.html
		http://www.kdough.net/docs/syslog_postgresql/
	
	Linksys Log Analysis tool?
		http://forums.macosxhints.com/archive/index.php/t-9090