[syslog-ng]success: syslog-ng on OSX 10.3.4
OpenMacNews
syslog-ng@lists.balabit.hu
Fri, 16 Jul 2004 13:28:38 -0700
hi ken,
-- On Friday, July 16, 2004 4:02 PM -0400 Ken Toney <ktoney@tiff.org> wrote:
> I haven't gotten syslog-ng installed on OS X 10.3.4 yet, but can share with you some resources I have for information. You might try reading
> I'd be happy to share my conf file with you once I get syslog-ng running, but I am one step behind you. I am trying to install syslog-ng 1.6.4 on OS X 10.3.4 and can't. Did you run into any problems installing syslog-ng?
> I'd be happy to share my conf file with you once I get syslog-ng running, but I am one step behind you. I am trying to install syslog-ng 1.6.4 on OS X 10.3.4 and can't. Did you run into any problems installing syslog-ng?
i've got it all working now for local & remote logging ...
here are my build notes ... not pretty, but hey ;-)
hope this is helpful!
richard
========================================
1st, my env particulars ...
% /usr/local/ssl/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004
% uname -v
Darwin Kernel Version 7.4.0: Wed May 12 16:58:24 PDT 2004; root:xnu/xnu-517.7.7.obj~7/RELEASE_PPC
% glibtool --version
ltmain.sh (GNU libtool) 1.5.6 (1.1220.2.94 2004/04/10 16:27:27)
% automake --version
automake (GNU automake) 1.8.5
% autoconf --version
autoconf (GNU Autoconf) 2.59
, and, BIND 9.2.3 in /usr/local/bind9
##################################################################
libol
wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.13.tar.gz
gnutar zxf libol-0.3.13.tar.gz
unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS
cd /usr/ports/libol-0.3.13
glibtoolize --force --copy ;\
aclocal ;\
autoconf
./configure \
--prefix=/usr/local
make
make install
##################################################################
syslog-ng
wget http://www.balabit.com/downloads/syslog-ng/1.6/src-snapshot/syslog-ng-1.6.4+20040714.tar.gz
gnutar zxvf syslog-ng-1.6.4+20040714.tar.gz
mv syslog-ng-1.6.4+20040714 syslog-ng
cd /usr/ports/syslog-ng
unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND EXTRA_LDFLAGS EXTRA_LIBS LC_ALL LANG LINGUAS ;\
setenv LDFLAGS "-bind_at_load -L/usr/local/bind9/lib -llwres -lbind" ;\
setenv CPPFLAGS "-I/usr/local/bind9/include"
./configure \
--prefix=/usr/local \
--enable-debug \
--enable-tcp-wrapper
make
make install
now, set up the Mac startup items; i kill syslogd, then replace with syslog-ng.
note: this *could* be done, instead, by mod-ing /etc/rc, where syslog is originally launched, but i haven't yet convinced myself the boot/startup process does NOT need original syslogd (pending question) ...
##################################################################
mkdir -p /Library/StartupItems/SyslogNG
==================================================
(EDITOR) /Library/StartupItems/SyslogNG/SyslogNG
#!/bin/sh
##
# SyslogNG StartupItem
#
# rather than
. /etc/rc.common
# [ -f /etc/hostconfig ] && . /etc/hostconfig
RunService ()
{
case $1 in
start ) StartService ;;
stop ) StopService ;;
restart) RestartService ;;
* ) echo "$0: unknown argument: $1";;
esac
}
##
# SyslogNG StartupItem Handlers
##
StartService ()
{
if [ "${SYSLOGNG:=-NO-}" = "-YES-" ]; then
ConsoleMessage "Stopping SYSLOGD server"
sleep 2
killall syslogd
ConsoleMessage "Starting SYSLOG-NG Logging Server"
/usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf -p /var/run/syslog-ng.pid
fi
}
StopService ()
{
if [ -f "/var/run/syslog-ng.pid" ] ; then
ConsoleMessage "Stopping SYSLOG-NG server"
sleep 2
kill -9 `cat /var/run/syslog-ng.pid`
fi
}
RestartService ()
{
StopService
StartService
}
RunService "$1"
=================================================================
==================================================
(EDITOR) /Library/StartupItems/SyslogNG/StartupParameters.plist
{
Description = "SyslogNG";
Provides = ("SyslogNG");
Requires = ("Resolver","Network Time","Disks");
Uses = ("Network");
OrderPreference = "None";
Messages =
{
start = "Starting SyslogNG";
stop = "Stopping SyslogNG";
};
}
==================================================
chown -R root:wheel /Library/StartupItems/SyslogNG ;\
chmod 755 /Library/StartupItems/SyslogNG ;\
chmod 755 /Library/StartupItems/SyslogNG/SyslogNG ;\
chmod 644 /Library/StartupItems/SyslogNG/StartupParameters.plist
don't forget ...
==================================================
(EDITOR) /etc/hostconfig
+++ SYSLOGNG-YES-
==================================================
here's a working conf file:
==================================================
(EDITOR)/etc/syslog-ng/syslog-ng.conf
###############################################################
## "/etc/syslog-ng/syslog-ng.conf" -- config file for syslog-ng
###############################################################
# FACILITY & LEVEL mappings from /usr/include/sys/syslog.h
# FACILITIES:
# auth : security/authorization messages
# authpriv : security/authorization messages (private)
# cron : clock daemon
# daemon : system daemons
# ftp : ftp daemon
# kern : kernel messages
# lpr : line printer subsystem
# mail : mail system
# netinfo : netinfo
# news : network news subsystem
# remoteauth : remote authentication/authorization
# syslog : messages generated internally by syslogd
# user : random user-level messages
# uucp : uucp subsystem
# /* reserved for local use */
# local0, local1, local2, local3, local4, local5, local6, local7
# LEVELS: (highest to lowest priority ...)
# .emerg : A panic condition. This is normally broadcast to all users.
# .alert : A condition that should be corrected immediately, such as a corrupted system database.
# .crit : Critical conditions, e.g., hard device errors.
# .err : Errors.
# .warning : Warning messages.
# .notice : Conditions that are not error conditions, but should possibly be handled specially.
# .info : Informational messages.
# .debug : Messages that contain information normally of use only when debugging a program.
#######################
## Global Options
#
options {
use_fqdn(no);
use_dns(yes);
# dns_cache(yes);
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};
#######################
## Source Configs
#
source src_local {
unix-dgram("/var/run/syslog" group("daemon") owner("root"));
internal();
pipe("/dev/klog" log_prefix("kernel: "));
udp(ip("127.0.0.1") port(514));
};
source src_linksys {
unix-dgram("/var/run/syslog" group("daemon") owner("root"));
internal();
udp(ip("10.0.0.6") port(514));
};
#######################
## Log Destinations
#
## by service
destination console { usertty("root"); };
destination install { file("/var/log/syslog-ng/install.log" group("admin") owner("root") perm(0640) ); };
destination system { file("/var/log/syslog-ng/system.log" group("admin") owner("root") perm(0640) ); };
destination secure { file("/var/log/syslog-ng/secure.log" group("admin") owner("root") perm(0640) ); };
destination netinfo { file("/var/log/syslog-ng/netinfo.log" group("admin") owner("root") perm(0640) ); };
destination kernel { file("/var/log/syslog-ng/kernel.log" group("admin") owner("root") perm(0640) ); };
destination mail { file("/var/log/syslog-ng/mail.log" group("admin") owner("root") perm(0640) ); };
destination ftp { file("/var/log/syslog-ng/ftp.log" group("admin") owner("root") perm(0640)); };
destination lpr { file("/var/log/syslog-ng/lpr.log" group("admin") owner("root") perm(0640)); };
destination cron { file("/var/log/syslog-ng/cron.log" group("admin") owner("root") perm(0640) ); };
destination linksys { file("/var/log/syslog-ng/linksys.log" group("admin") owner("root") perm(0640) ); };
#######################
## Facility Filters
#
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_ftp { facility(ftp); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
#filter f_netinfo { facility(netinfo); };
filter f_news { facility(news); };
#filter f_remoteauth { facility(remoteauth); };
filter f_syslog { not facility(authpriv, mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_local0 { facility(local0); };
filter f_local1 { facility(local1); };
filter f_local2 { facility(local2); };
filter f_local3 { facility(local3); };
filter f_local4 { facility(local4); };
filter f_local5 { facility(local5); };
filter f_local6 { facility(local6); };
filter f_local7 { facility(local7); };
#######################
## Level Filters
#
filter f_emerg { level(emerg); };
filter f_alert { level(alert); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_warning { level(warning); };
filter f_notice { level(notice); };
filter f_info { level(info); };
filter f_debug { level(debug); };
#######################
## Log Policies
#
#filter f_debug { not facility(auth, authpriv, news, mail); };
#filter f_messages { level(info..warn)
# and not facility(auth, authpriv, mail, news); };
## local
#
log { source(src_local); filter(f_authpriv); destination(secure); };
log { source(src_local); filter(f_syslog); destination(system); };
log { source(src_local); filter(f_cron); destination(cron); };
log { source(src_local); filter(f_daemon); destination(kernel); };
log { source(src_local); filter(f_kern); destination(kernel); };
log { source(src_local); filter(f_lpr); destination(lpr); };
log { source(src_local); filter(f_mail); destination(mail); };
log { source(src_local); filter(f_emerg); destination(console); };
#log { source(src_local); destination(console_all); };
## linksys
#
log { source(src_linksys); filter(f_user); destination(linksys); };
=====================================================================
#############################################################
i then use 'logrotate' to manage/rotate all the logs as desired ...
just fyi, some additional reading i haven't gotten to:
sending apache logs to syslog-ng
https://lists.balabit.hu/pipermail/syslog-ng/2001-February/001208.html
advanced log processing
http://www.securityfocus.com/infocus/1613
getting syslog-ng into postgresql
https://lists.balabit.hu/pipermail/syslog-ng/2002-April/003249.html
http://www.kdough.net/docs/syslog_postgresql/
Linksys Log Analysis tool?
http://forums.macosxhints.com/archive/index.php/t-9090