You know that support for MacOS is important when every third visitor at the syslog-ng booth of Red Hat Summit asks if syslog-ng works on MacOS. With the upcoming syslog-ng version 4.6.0, syslog-ng not only compiles on MacOS, but it also collects local log messages natively.
From this blog you can learn how to compile syslog-ng yourself, options of the MacOS source, and also a bit of history.
History
Many years ago, syslog-ng was available on MacOS. It was even part of Homebrew. Unfortunately, when multi-threading was introduced to syslog-ng in version 3.3, it broke MacOS support. It was not syslog-ng directly, but the file naming convention of a new mandatory dependency (the file system is case-insensitive on MacOS). Supporting MacOS again took a bit more time than expected. The external library had to be fixed first, which meant renaming files. Once it was fixed, syslog-ng could also be brought back to life on MacOS.
Syslog-ng compiled and ran fine on MacOS, however it could not collect local system logs natively. It could act as a network server or read files on the system. The default configuration failed to start, as the system() source was not configured for MacOS. As a workaround, a system() source was defined on MacOS too: it simply reads files written by the native syslogd. Syslog-ng is now part of Homebrew again, which means easy installation. With version 4.6.0, syslog-ng can collect local system logs natively.
Warning
While previously the system() source on MacOS barely collected any logs, using the new native log collector collects a lot more log messages by default (tens of megabytes instead of a few kilobytes an hour). If you use the default syslog-ng configuration, make sure that you check the size of /var/log/messages* regularly.
Before you begin
From the release notes: “This plugin available only on macOS 10.15 Catalina and above, the first version that has the OSLog API.” As 10.15 and anything older are already end of life, it should not cause a problem.
Version 4.6.0 will be hopefully part of Homebrew soon. Once that happens, it will be a single command to install syslog-ng:
brew install syslog-ng
If it is not yet part of Homebrew, you can compile it yourself. You can findbasic instructions on building in one of my earlier blogs at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-on-macos-ventura Note that if you have the grpc package installed from brew, then you should also use the following configure parameter to disable support for it:
--disable-grpc
Without it, compiling syslog-ng will fail.
We are also preparing a new, more detailed developer documentation. You can find a lot more information about the MacOS build at https://syslog-ng.gitbook.io/getting-started/platform-specific-builds/section_4 Note that the location of this guide might change.
Modifying the configuration
The system() source on MacOS uses now the new darwin-oslog() source by default. It has some reasonable defaults, but of course they are not suitable for everyone. If you want to change any settings, you have to remove / comment out the system() source from your configuration. Instead, you should use the darwin-oslog() source directly. You can find the full list of options in the release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.6.0 Here I want to introduce you only to a few options.
When syslog-ng is started, the darwin-oslog() source, by default, starts collecting logs where it left off last time (you can change that by setting the do-not-use-bookmark() option to yes, but you really should not...). If the darwin-oslog() source is started for the first time, then it does not read old logs, but starts collecting logs from the end of OSLog. You can change this behavior by using the read-old-records(yes) option. However, be prepared that your Mac will run at a high load for an extended time and write gigabytes of logs. On my 2017 MacBook Pro it took close to an hour and syslog-ng wrote about 8 gigabytes of logs into two files, about a month worth of log messages.
As you can see in the following configuration example, the system() source is commented out, and read-old-records() is set to yes:
source s_local {
darwin-oslog(read-old-records(yes));
# system();
internal();
};
Another important option is filter-predicate(). It allows you to configure which logs are read from OSLog by the syslog-ng darwin-oslog() driver. The default setting is:
(eventType == 'logEvent' || eventType == 'lossEvent' || eventType == 'stateEvent' || eventType == 'userActionEvent') && (logType != 'debug')
You should read “man log” for more details how to configure this parameter.
What is next?
Once you tested the sysog-ng setting from the command line, you should make sure that it starts automatically on next boot. You can learn more about it at https://syslog-ng.gitbook.io/getting-started/chapter_0/section_3 Note that the location of this guide might change.
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.