syslogd Configuration

Many low cost routers support sending event logs to a syslog server, often providing more information than is available in the built in logging capabilities. In the following article, I will go through the configuration of Netopia 3300-ENT series routers, as they are both affordable and full featured. I will update this article later to include a configuration supporting Netgear FSV124G routers.

OS X Panther and Tiger are capable of supporting remote syslog events, however, have completely different configurations. In Tiger, syslogd is started through the launchd daemon, which simplifies the configuration.

OS X Panther files can be downloaded here

OS X Tiger files can be downloaded here

NETOPIA CONFIGURATION


Overview

This configuration is for Netopia ENT routers with firmware 8.5 and R910 routers with firmware 8.2r0. Different firmware will have a similar configuration, however, it is possible that the location of the syslog options may be different.

Enable Syslog

Login to the router and proceed to "System Configuration...". Under the "System Configuration" page, select "Logging...". Under "Syslog Parameters", set "Syslog Enabled:" to "yes". Set "Hostname or IP Address:" to the desired server address.

Facility Settings

Under "Facility:" set to "Local 1". This option attaches a "local1" marker to all log entries so that it may be parsed by the syslog server and directed to a specific log file. This should be set to match that specified in the syslog.conf file on the server. Local0 is used for parsing the firewall events, while local1-local7 are unused by the system. If configuring logging from several devices, it would be beneficial to direct each device to a different log. This can be accomplished by using different facility settings.

Logging Options

There are three logging options: "Log Filter Violations", "Log Accepted Packets", and "Log Access Attempts". With all disabled, logs sent to the server will resemble the standard WAN logging events found in the Netopia router. Enabling "Log Filter Violations" will display any event that is dropped by the filters, including basic NAT rules. Enabling "Log Accepted Packets" will log any request internal or external that is allowed to pass through the router. This will display all traffic that is passed, including DNS requests as well as any other network traffic. This is useful for trouble shooting, however, it is likely to cause the logs to grow to a substantial size quite quickly. Enabling "Log Access Attempts" is only useful for trouble shooting, as it will log any and all requests wether dropped by filter rules or not. This is not recommended for any length of time.
**Note that enabling and disabling the syslog as well as modifying the syslog host setting require the router to be restarted. Changing the logging options, however, is immediate and does not require a restart.

PANTHER CONFIGURATION


Overview

Panther requires modifications to the following files: /etc/rc and /etc/syslog.config. In addition to system modifications, an additional script, daily.local, should be placed in the /etc directory or the contents of the dialy.local file should be appended to the currently installed.

When the machine boots, it runs the rc script, this is where syslogd is started. When syslogd is started it will consult the syslog.config for it's parameters of operation. To maintain your log files, a daily.local file is created to rotate the logs nightly. It is also needed simply to restart the system log daemon with the appropriate flags.

After any system update, the rc script and the syslog.config will need to be checked to ensure that the modifications made have not been overwritten. The daily.local file is never modified by a system update, so this will not need to be checked.

Back up your files

First, backup the default rc and syslog.config files to your desktop as below.

ocd /etc
ocp rc ~/Desktop/rc
ocp syslog.config ~/Desktop/syslog.config

Additionally, if a daily.local script already exists, back that up as well:

ocp daily.local ~/Desktop/daily.local

Modify the rc script

The rc script is called at startup. The default setting for initializing syslogd is:

o/usr/sbin/syslogd -m 0 -s

This configuration starts the system log daemon in secure mode, which does not allow logging of external sources. Remote logging listens for UDP packets sent on port 514 while the -s flag disables this capability. As of 10.3.9, the man pages for syslogd are incorrect, as they appear to reflective the changes that Tiger was moving toward. The syslogd(8) man pages for FreeBSD are seem to be more acurate than those provided with the OS.

Search for syslogd with a text editor and replace the above line with the following (substituting the correct subnet for your network):

o/usr/sbin/syslogd -m 0 -a 192.168.5.0/24:514

This configuration enables the syslogd daemon to accept messages from the specified subnet. The -m flag specifies the interval to insert timestamps in the log: the value of 0 sets this to never.

Modify syslog.conf

The syslog.conf is consulted at the startup of syslogd. This is where you specify any redirection in the logs. One note of caution, separations must be all tabs and not spaces.

Look for the following line:

olocal0.*/var/log/ipfw.log

Immediately after this line, insert the following:

olocal1.*/var/log/netopia.log

The local setting should match that which is set on the facility setting on the router. If you wish to have multiple logs for different routers, create additions log files and set the local settings accordingly. For example:

olocal1.*/var/log/netopia1.log
olocal2.*/var/log/netopia2.log

After modifying the configuration, create the log files as necessary by the following:

ocd /var/logs
osudo touch netopia.log

or the following if logging multiple devices:

ocd /var/logs
osudo touch netopia1.log
osudo touch netopia2.log

Install daily.local

The periodic utility runs three cron jobs by default: daily, weekly and monthly. These are general maintanence scripts that run in the early hours of the morning. Each of these scripts test for the existence of a corresponding *.local file, and if the file exists, it is called from the primary script. It is suggested that any modifications be added in these files.

The included daily.local script contains a section for rotating the log files and a method for a restart of the syslogd. The provided script is a modification of the system.log portion of the default daily script. It will maintain up to 8 gzipped log files, with one active file. The second segment of the script simply restarts syslogd. The network subnet will need to be configured to the appropriate IP address to function correctly. To install this script, perform the following:

ocd /etc
osudo cp /path/to/10.3/version/of/daily.local daily.local
osudo chmod 555 daily.local
osudo chown root:wheel daily.local

If the daily.local script already exists, simply paste the contents of this script and append it to the end of the current file. If you are logging several devices, then you can insert all of the filenames as in the following:

ofor i in netopia1.log netopia2.log; do

This will rotate the logs for each item listed.

TIGER CONFIGURATION


Overview

Tiger requires modifications to the following files:
/System/Library/LaunchDaemons/com.apple.syslogd.plist and /etc/syslog.config.

In Tiger, the syslog daemon is started by Apple's new launchd daemon. This actually makes the process much simpler as the flags are set in the com.apple.syslogd.plist and are utilized whenever the it is restarted.

In addition to system modifications, an additional script, daily.local, should be placed in the /etc directory or the contents of the dialy.local file should be appended to a previously installed script if it exists.

After any system update, the com.apple.syslogd.plist and the syslog.config will need to be checked to ensure that the modifications made have not been overwritten. The daily.local file is never modified by a system update, so this will not need to be checked.

Back Up Your files

First, backup the default com.apple.syslogd.plist and syslog.config files to your desktop as below.

ocd /etc
ocp syslog.config ~/Desktop/syslog.config
ocd /System/Library/LaunchDaemons/
ocp com.apple.syslogd.plist ~/Desktop/com.apple.syslogd.plist

Additionally, if a daily.local script already exists, back that up as well:

ocd /etc
ocp daily.local ~/Desktop/daily.local

Modify the com.apple.syslogd.plist File

The com.apple.syslogd.plist configuration is called anytime the launchd daemon needs to start the service. Plist files are essentially a standardized XML document that provides the parameters for starting any service. Fortunately the installed man pages actually match the what is installed in the system, which is AppleÕs highly modified version of syslogd. Unfortunately, this version makes all online tutorials that apply to FreeBSD versions irrelevant.

The entire contents of this file is as follows (note that there is no return within the <!DOCTYPE statement):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.syslogd</string>
    <key>ServiceDescription</key>
    <string>Apple System Log Daemon</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
            <string>/usr/sbin/syslogd</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
</dict>
</plist>

The ProgramArguments key is followed by an array of strings. This is essentially just an array of items that would be passed to the command line. We will add <string>-u</string> block following <string>/usr/sbin/syslogd</string> to open the service to listen for UDP packets. The resulting file is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.apple.syslogd</string>
    <key>ServiceDescription</key>
    <string>Apple System Log Daemon</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
            <string>/usr/sbin/syslogd</string>
           <string>-u</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
</dict>
</plist>

Unfortunately, the new daemon does not recognize the -a flag, which prevents you from specifying valid subnets. This must be kept in mind, as you may wish to block UDP packets on port 514 from the outside world in the router (this is the default in the Netopia routers if it is behind NAT).

Modify syslog.conf

The syslog.conf is consulted at the startup of syslogd. This is where you specify any redirection in the logs. One note of caution, separations must be all tabs and not spaces. The parameters here do not differ from Panther.

Look for the following line:

olocal0.*/var/log/ipfw.log

Immediately after this line, insert the following:

olocal1.*/var/log/netopia.log

The local setting should match that which is set on the facility setting on the router. If you wish to have multiple logs for different routers, create additions log files and set the local settings accordingly. For example:

olocal1.*/var/log/netopia1.log
olocal2.*/var/log/netopia2.log

After modifying the configuration, create the log files as necessary by the following:

ocd /var/logs
osudo touch netopia.log

or the following if logging multiple devices:

ocd /var/logs
osudo touch netopia1.log
osudo touch netopia2.log

Install daily.local

The periodic utility runs three cron jobs by default: daily, weekly and monthly. These are general maintanence scripts that run in the early hours of the morning. Each of these scripts test for the existence of a corresponding *.local file, and if the file exists, it is called from the primary script. It is suggested that any modifications be added in these files.

The included daily.local script contains a section for rotating the log files and a method for a restart of the syslogd. The provided script is a modification of the system.log portion of the default daily script. It will maintain up to 8 gzipped log files, with one active file. The second segment of the script simply restarts syslogd utilizing AppleÕs launchd daemon. To install this script, perform the following:

ocd /etc
osudo cp /path/to/10.4/version/of/daily.local daily.local
osudo chmod 555 daily.local
osudo chown root:wheel daily.local

If the daily.local script already exists, simply paste the contents of this script and append it to the end of the current file. If you are logging several devices, then you can insert all of the filenames as in the following:

ofor i in netopia1.log netopia2.log; do

This will rotate the logs for each item listed.

The syslog service can be restarted by running the following commands:

osudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

Wait a moment and then:

osudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Or simply restart the machine.