Most of syslog-ng works perfectly well on MacOS; however, there is no native driver to collect local log messages. Due to this, in the past, the system() source did not work on MacOS, thus the default syslog-ng configuration failed to start. Version 3.36 of syslog-ng includes a workaround: it follows /var/log/system.log.
Installing syslog-ng 3.36
You need to download at least version 3.36.1 of the syslog-ng source code from https://github.com/syslog-ng/syslog-ng/releases
To test the new system() source on MacOS, you need to compile syslog-ng from the source. You can find compilation instructions at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-on-macos-monterey
Testing
On Intel-based Macs, syslog-ng is installed under the /usr/local directory tree. You can find the configuration in /usr/local/etc/syslog-ng.conf. If you take a look at it, you will see that it is quite simple. There is a source for local logs using the system() source and a network source that is mostly commented out.
However, when you take a look at what this configuration expands to, it is something a lot more complex. You can learn a lot about syslog-ng and its configuration by browsing this configuration and trying to understand what it does. Here is the command to generate the expanded configuration:
/usr/local/sbin/syslog-ng –preprocess-into=myconfig.txt
In this blog, we just focus on a really small part of this file:
#Start Block source generator system channel { source { file("/var/log/system.log" follow-freq(1)); }; # source
Which means that syslog-ng is reading one of the files written by syslogd on the system. The content of this file is similar to what /var/log/messages contains on a typical Linux system. So, once you start syslog-ng version 3.36 on your host, instead of failing, like all previous versions, it will read the content of this file and write to /var/log/messages. The content of the log file should be something similar:
Mar 18 16:00:11 Peters-MacBook-Pro sshd: czanik [priv][4214]: USER_PROCESS: 4218 ttys001 Mar 18 16:20:18 Peters-MacBook-Pro sshd: czanik [priv][40823]: USER_PROCESS: 40827 ttys002
What is next?
The changes in syslog-ng 3.36 make your first steps with syslog-ng on MacOS a lot less scary. You can start syslog-ng manually from the command line, but it is not really convenient. You can learn how to start syslog-ng automatically during startup from this blog: https://medium.com/macoclock/how-to-install-syslog-ng-on-macos-965127f1c05c
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik.