Activating the syslog server on my Mac
14/04/18 06:27
A few months ago we finally were able to switch over from ADSL2 to NBN's fibre-to-the-node (FTTN) VDSL. We'd had ADSL2 since 2005 and never managed to break 6Mbps downstream.
So when NBN became available, we jumped at the chance. Of course, we have no chance of getting 100Mbps but we're happy with the 50Mbps possibility (around midnight, about 44Mbps). Anything is better than the piddly 4Mbps we were getting in the last days of ADSL2.
However the NBN product is a magnitude more unreliable … constant drop outs. To get some idea, I thought I'd start sending the modem's logs to a syslog server. Did some research on how to get the syslogd daemon to accept these logs - didn't appear to be anything in simple step-by-step format, and Apple had changed things over the years so the information wasn't necessarily up-to-date, but I figured it out. I know, I'm lazy … I spend my work day fixing problems in mobile phone networks - at home, I just want my shit to work (hence why fixing my Mac Pro took so long).
Anyway, this is how I got syslogd to accept my modem's logs, using the scraps of info from other, cleverer souls than I - Mac Pro running macOS High Sierra 10.13.4:
[1] Disable SIP:
[a] Restart Mac in Recovery Mode (CMD+R)
[b] Disable SIP in Terminal
csrutil disable
[c] Restart Mac
[2] Change directory permissions of /System/Library/LaunchDaemons
cd /System/Library/
sudo chmod 777 LaunchDaemons/
[3] Also changed permissions of the syslog daemon PLIST
cd /System/Library/LaunchDaemons/
sudo chmod 777 com.apple.syslogd.plist
[4] In Finder, navigated to /System/Library/LaunchDaemons and double-clicked the com.apple.syslogd.plist file. This opens the PLIST editor in Xcode.
[5] Add a new Sockets dictionary item - there's just BSDSystemLogger initially.
[a] On the Sockets line, press the +
NetworkListener = dictionary
[c] On the NetworkListener line, need to + two Strings
SockServiceName = syslog
SockType = dgram
The result should look something like below - doesn't matter if NetworkListener is before or after the existing BSDSystemLogger entry.
[6] I was able to save the updated PLIST file because of the permission changes in [2] and [3]:
-rw-rw-rw-@ 1 brett wheel 612 13 Apr 09:40 com.apple.syslogd.plist
[7] Change the permissions back to what macOS expects:
cd /System/Library/
sudo chmod 755 LaunchDaemons/
cd /System/Library/LaunchDaemons/
sudo chmod 644 com.apple.syslogd.plist
[8] The file ownership also changed from root to brett, so I had to fix that too, otherwise restarting the daemon will fail with:
/System/Library/LaunchDaemons/com.apple.syslogd.plist: Path had bad ownership/permissions
This is done with the chown command:
sudo chown -v root com.apple.syslogd.plist
[9] Finally, I could restart the daemon:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
[10] I then opened the Console application and also monitored incoming UDP packets on the command line - I could see the syslog entries arriving, and also Console updating!
sudo tcpdump -i en0 host 192.168.1.1 and udp port 514
[11] Filtering in Console for when the link went down … "link down" … wow, it dropped 14 times from when I started capturing the logs to syslog and this morning:
Apr 13 10:46:19 kernel: Line 0: xDSL link down
Apr 13 10:46:31 kernel: Line 0: xDSL link down
Apr 13 11:16:27 kernel: Line 0: xDSL link down
Apr 13 11:16:38 kernel: Line 0: xDSL link down
Apr 13 11:16:59 kernel: Line 0: xDSL link down
Apr 13 11:17:12 kernel: Line 0: xDSL link down
Apr 13 11:17:41 kernel: Line 0: xDSL link down
Apr 13 11:17:48 kernel: Line 0: xDSL link down
Apr 13 19:06:21 kernel: Line 0: xDSL link down
Apr 13 19:06:37 kernel: Line 0: xDSL link down
Apr 13 22:30:43 kernel: Line 0: xDSL link down
Apr 13 22:30:55 kernel: Line 0: xDSL link down
Apr 13 22:32:17 kernel: Line 0: xDSL link down
Apr 13 22:32:28 kernel: Line 0: xDSL link down
I can also see logs when the link rate is changed … "rate change" … loads of entries, a small sample:
Apr 13 22:25:34 kernel: Line 0: Rate Change, us=15063, ds=30368
Apr 13 22:35:11 kernel: Line 0: Rate Change, us=19904, ds=20192
Apr 13 22:35:57 kernel: Line 0: Rate Change, us=10101, ds=20192
Apr 13 22:35:57 kernel: Line 0: Rate Change, us=9956, ds=20192
[12] Oh, don't forget to re-enable SIP by restarting in Recovery Mode, executing csrutil enable, then restarting
So when NBN became available, we jumped at the chance. Of course, we have no chance of getting 100Mbps but we're happy with the 50Mbps possibility (around midnight, about 44Mbps). Anything is better than the piddly 4Mbps we were getting in the last days of ADSL2.
However the NBN product is a magnitude more unreliable … constant drop outs. To get some idea, I thought I'd start sending the modem's logs to a syslog server. Did some research on how to get the syslogd daemon to accept these logs - didn't appear to be anything in simple step-by-step format, and Apple had changed things over the years so the information wasn't necessarily up-to-date, but I figured it out. I know, I'm lazy … I spend my work day fixing problems in mobile phone networks - at home, I just want my shit to work (hence why fixing my Mac Pro took so long).
Anyway, this is how I got syslogd to accept my modem's logs, using the scraps of info from other, cleverer souls than I - Mac Pro running macOS High Sierra 10.13.4:
[1] Disable SIP:
[a] Restart Mac in Recovery Mode (CMD+R)
[b] Disable SIP in Terminal
csrutil disable
[c] Restart Mac
[2] Change directory permissions of /System/Library/LaunchDaemons
cd /System/Library/
sudo chmod 777 LaunchDaemons/
[3] Also changed permissions of the syslog daemon PLIST
cd /System/Library/LaunchDaemons/
sudo chmod 777 com.apple.syslogd.plist
[4] In Finder, navigated to /System/Library/LaunchDaemons and double-clicked the com.apple.syslogd.plist file. This opens the PLIST editor in Xcode.
[5] Add a new Sockets dictionary item - there's just BSDSystemLogger initially.
[a] On the Sockets line, press the +
NetworkListener = dictionary
[c] On the NetworkListener line, need to + two Strings
SockServiceName = syslog
SockType = dgram
The result should look something like below - doesn't matter if NetworkListener is before or after the existing BSDSystemLogger entry.
[6] I was able to save the updated PLIST file because of the permission changes in [2] and [3]:
-rw-rw-rw-@ 1 brett wheel 612 13 Apr 09:40 com.apple.syslogd.plist
[7] Change the permissions back to what macOS expects:
cd /System/Library/
sudo chmod 755 LaunchDaemons/
cd /System/Library/LaunchDaemons/
sudo chmod 644 com.apple.syslogd.plist
[8] The file ownership also changed from root to brett, so I had to fix that too, otherwise restarting the daemon will fail with:
/System/Library/LaunchDaemons/com.apple.syslogd.plist: Path had bad ownership/permissions
This is done with the chown command:
sudo chown -v root com.apple.syslogd.plist
[9] Finally, I could restart the daemon:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
[10] I then opened the Console application and also monitored incoming UDP packets on the command line - I could see the syslog entries arriving, and also Console updating!
sudo tcpdump -i en0 host 192.168.1.1 and udp port 514
[11] Filtering in Console for when the link went down … "link down" … wow, it dropped 14 times from when I started capturing the logs to syslog and this morning:
Apr 13 10:46:19 kernel: Line 0: xDSL link down
Apr 13 10:46:31 kernel: Line 0: xDSL link down
Apr 13 11:16:27 kernel: Line 0: xDSL link down
Apr 13 11:16:38 kernel: Line 0: xDSL link down
Apr 13 11:16:59 kernel: Line 0: xDSL link down
Apr 13 11:17:12 kernel: Line 0: xDSL link down
Apr 13 11:17:41 kernel: Line 0: xDSL link down
Apr 13 11:17:48 kernel: Line 0: xDSL link down
Apr 13 19:06:21 kernel: Line 0: xDSL link down
Apr 13 19:06:37 kernel: Line 0: xDSL link down
Apr 13 22:30:43 kernel: Line 0: xDSL link down
Apr 13 22:30:55 kernel: Line 0: xDSL link down
Apr 13 22:32:17 kernel: Line 0: xDSL link down
Apr 13 22:32:28 kernel: Line 0: xDSL link down
I can also see logs when the link rate is changed … "rate change" … loads of entries, a small sample:
Apr 13 22:25:34 kernel: Line 0: Rate Change, us=15063, ds=30368
Apr 13 22:35:11 kernel: Line 0: Rate Change, us=19904, ds=20192
Apr 13 22:35:57 kernel: Line 0: Rate Change, us=10101, ds=20192
Apr 13 22:35:57 kernel: Line 0: Rate Change, us=9956, ds=20192
[12] Oh, don't forget to re-enable SIP by restarting in Recovery Mode, executing csrutil enable, then restarting