macOS Catalina

I’m capturing a logs of logs across my Linux systems, they all traditionally used syslog daemon and more recently rsyslog or syslog-ng. I wanted to research message logging in macOS and found the setup to be interesting enough.

syslog config in /etc/asl.conf

First big difference is that the primary configuration file for syslog daemon is no longer /etc/syslog.conf. This is what it says when you open it:

# Note that flat file logs are now configured in /etc/asl.conf

install.*                                     127.0.0.1:32376

Apple System Log (ASL)

Really cool! Apparently for quite some time, macOS has been logging everything using Aple System Log approach - meaning there are libraries of functions written specifically for logging messages, keeping track of message databases (they’re in binary format, ASL files) and providing output into cleartext log files.

More recently there’s os_log interface for working with log messages, but it still relies on ASL mechanism I think.

System Logging with /etc/asl.conf

Here’s the typical /etc/asl.conf file on my macOS:

greys@mcfly $ cat /etc/asl.conf
##
# configuration file for syslogd and aslmanager
##

# aslmanager logs
> /var/log/asl/Logs/aslmanager external style=lcl-b ttl=2

# authpriv messages are root/admin readable
? [= Facility authpriv] access 0 80

# remoteauth critical, alert, and emergency messages are root/admin readable
? [= Facility remoteauth] [<= Level critical] access 0 80

# broadcast emergency messages
? [= Level emergency] broadcast

# save kernel [PID 0] and launchd [PID 1] messages
? [<= PID 1] store

# ignore "internal" facility
? [= Facility internal] ignore

# save everything from emergency to notice
? [<= Level notice] store

# Rules for /var/log/system.log
> system.log mode=0640 format=bsd rotate=seq compress file_max=5M all_max=50M
? [= Sender kernel] file system.log
? [<= Level notice] file system.log
? [= Facility auth] [<= Level info] file system.log
? [= Facility authpriv] [<= Level info] file system.log

# Facility com.apple.alf.logging gets saved in appfirewall.log
? [= Facility com.apple.alf.logging] file appfirewall.log file_max=5M all_max=50M

In addition to it, there’s quite a few software or service specific configuration files in /etc/asl directory - something very similar to rsyslog include files by function, but looking very different, just like the asl.conf file itself:

ASL Configuration Language

I’ve never seen this before but could find my way around configuring ASL logging very quickly, because a lot of things are quite intuitive:

# Rules for /var/log/system.log
> system.log mode=0640 format=bsd rotate=seq compress file_max=5M all_max=50M
? [= Sender kernel] file system.log
? [<= Level notice] file system.log
? [= Facility auth] [<= Level info] file system.log
? [= Facility authpriv] [<= Level info] file system.log

We configure file permissions, format and rotation rules for system.log file and then define filters for the messages that we want it that log file: they must be kernel messages, have specific facilities (kinds of messages) and log level (notice).

I think I’ll do another post on ASL soon enough, explaining this in more detail.

Comparing ASL to syslog and rsyslog

I would say ASL has a really cool and very readable approach to configuring logging needs. It’s superiour to traditional syslog format.

rsyslog, which I’m finding in most Linux distros these days, is safe: it has a new syntax for configuration files that is just as easy and just as meaningful. So while ASL is clearly better than old syslog, it’s quite comparable to newer rsyslog when it comes to both functionality and configuration language.

See Also

• macOS
• macOS commands
• Manage settings with dotfiles
• brew command not found - use brew for installing software
• Unix/Linux Software