Logging – Collecting Mac logs to your Logging VM

Perhaps you have made yourself a logging vm, or even a logging machine out of an old laptop using my pdf instructions.  At home I actually turned a real old IBM Thinkpad A22m into a unbuntu logging machine.  Just like my directions only no vmware.

I send all my network hardware logs via syslog to the machine.  BUT I also did one simple change to the syslog.conf on every mac in my house.  Now all my mac logs collect into my machine for searching in Splunk.

  1. Just open Terminal on your mac.
  2. sudo vi /etc/syslog.conf
  3. edit the file and add the following line, substituting your own logging machine IP address.
    *.*               @loggingmachineipaddress
  4. Make sure to use an actual ip address in place of loggingmachineipaddress.  I tried using the bonjour or mdns name like logger.local and my macs never consistently sent logs.  So changing to IP address it seemed to work after that.
  5. Next if you are in Leopard you can do the following two terminal commands to restart syslog and pick up the config change.  Otherwise you could also just reboot your mac.
  6. sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
  7. sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
Share