Networked Syslog

January 21, 2009

Centralized logging can be a Really Good thing and something that I think every SA should consider if they have more than 1 system to look after. Unfortunately Apple’s documentation on the subject is only correct for the client side, however:

    "To configure Mac OS X Server as a log server that accepts log messages from other 
    systems on the network: 
    1 Open /etc/rc and locate the following line: 
    /usr/sbin/syslogd -s -m 0"
    ...

Everyone knows that /etc/rc has been retired in 10.5. The correct procedure is much simpler - just open /System/Library/LaunchDaemons/com.apple.syslogd.plist and look for the following:

    "Un-comment the following lines to enable the network syslog protocol listener."

That, combined with Splunk running on the syslog server can make a pretty sweet centralized logging system indeed. :P