Samstag, 20. August 2011

Enabling MacOS X Lion syslog server for use with a DrayTek router

The DrayTek routers are offering to log to a syslog server. However DrayTek's own tool isn't working anymore because Lion dropped out Rosetta. So I came up with an idea to directly log to a Mac syslog server. Here is how to do that.

First you need to edit the com.apple.syslogd.plist which is found in /System/Library/LaunchDaemons and add a child entry (NetworkListener) under the Sockets dictionary.

If the file is in binary mode you need to convert it to xml first. Type the following in a terminal window.

    sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist

<plist version="1.0">

<dict>

<key>EnableTransactions</key>

<true/>

<key>EnvironmentVariables</key>

<dict>

<key>ASL_DISABLE</key>

<string>1</string>
</dict>

<key>HopefullyExitsLast</key>

<true/>

<key>JetsamProperties</key>

<dict>

<key>JetsamMemoryLimit</key>

<integer>300</integer>

<key>JetsamPriority</key>

<integer>-49</integer>
</dict>

<key>Label</key>

<string>com.apple.syslogd</string>

<key>MachServices</key>

<dict>

<key>com.apple.system.logger</key>

<true/>
</dict>

<key>OnDemand</key>

<false/>

<key>ProgramArguments</key>

<array>

<string>/usr/sbin/syslogd</string>
</array>

<key>Sockets</key>

<dict>

<key>AppleSystemLogger</key>

<dict>

<key>SockPathMode</key>

<integer>438</integer>

<key>SockPathName</key>

<string>/var/run/asl_input</string>
</dict>

<key>BSDSystemLogger</key>

<dict>

<key>SockPathMode</key>

<integer>438</integer>

<key>SockPathName</key>

<string>/var/run/syslog</string>

<key>SockType</key>

<string>dgram</string>
</dict>

<key>NetworkListener</key>     <<<<------ start adding here

<dict>

<key>SockServiceName</key>

<string>syslog</string>

<key>SockType</key>

<string>dgram</string>
</dict>                        <<<<------ until here
</dict>
</dict>
</plist>



Edit the file and save. We need to convert the file back to binary mode.

        sudo plutil -convert binary1 /System/Library/LaunchDaemons/com.apple.syslogd.plist


After that you need to create a logfile. Open up a terminal window and type

        sudo touch /var/log/router.log

You can replace router.log with anything else you like.

Now in the same terminal window type 
        sudo nano /etc/syslog.conf

Add an entry to the file 
        local2.*            /path/to/your/logfile


and save the file (Ctrl+X, answer the question with Y).

Final thing to do on MacOS side is to restart the syslog daemon.
        sudo launchctrl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
   sudo launchctrl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

The next step is to configure your DrayTek router. Under  System Maintenance >> SysLog / Mail Alert Setup check the "Enable" box and enter the ip address of your Mac under "Server IP address". The standard port 514 should not be altered. You can choose which events your router should forward to the syslog server. For initial testing leave all events checked. Click on "OK" and open up the Console app on your Mac. Navigate to your router.log on the left side. After a while you should see some entries.



Have fun...
Eingestellt von um
Labels: , , ,
Standort: Hamburg, Deutschland

2 Kommentare:

  1. Anonym9. November 2012 um 14:32

    thank you for writing this up!

    AntwortenLöschen
  2. Unknown27. Januar 2013 um 09:14

    I have problems to read out the router.log file, because it is empty. Should I change the port from 512 to 1024 ?
    Because I am not familiar with tcpdump, I did not get any further info out of this dump. What's the problem with local1 or local2 ?
    My iMac has the IP 192.168.3.10

    Here part out the dump :

    ADCT-iMac:~ root# tcpdump -vv -i en0 port 514
    tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
    08:43:36.017663 IP (tos 0x0, ttl 255, id 28895, offset 0, flags [none], proto UDP (17), length 144)
    vigor.router.syslog > 192.168.3.10.syslog: [udp sum ok] SYSLOG, length: 116
    Facility local2 (18), Severity info (6)
    Msg: Jan 27 08:42:55 ADCT-Router: Local User (MAC=C8-2A-14-22-27-E2): 192.168.3.10:49774 -> 192.168.10.10:389 (TCP)
    0x0000: 3c31 3530 3e4a 616e 2032 3720 3038 3a34
    0x0010: 323a 3535 2041 4443 542d 526f 7574 6572
    0x0020: 3a20 4c6f 6361 6c20 5573 6572 2028 4d41
    0x0030: 433d 4338 2d32 412d 3134 2d32 322d 3237
    0x0040: 2d45 3229 3a20 3139 322e 3136 382e 332e
    0x0050: 3130 3a34 3937 3734 202d 3e20 3139 322e
    0x0060: 3136 382e 3130 2e31 303a 3338 3920 2854
    0x0070: 4350 2920
    08:43:36.018223 IP (tos 0x0, ttl 255, id 28896, offset 0, flags [none], proto UDP (17), length 143)
    vigor.router.syslog > 192.168.3.10.syslog: [udp sum ok] SYSLOG, length: 115

    Thanks in advance for any help

    AntwortenLöschen

Abonnieren Kommentare zum Post (Atom)