Monday, December 29, 2014

Syslog Configuration (Mac OSX)

Here is a quick dump of the config for syslog on a OS X machine running 10.5.

*I believe that about 10.8 things changed and configuration for syslog is done in the /etc/asl.conf directory.

• First off you need to navigate to the /etc/syslog.conf file.  Do a "more" on the file and have a look at what's going on.  Here is what mine looks like:

*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit      /dev/console
*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit      /var/log/system.log

# Send messages normally sent to the console also to the serial port.
# To stop messages from being sent out the serial port, comment out this line.
#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit            /dev/tty.serial

# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth.info;authpriv.*;remoteauth.crit                    /var/log/secure.log

lpr.info                                                 /var/log/lpr.log
mail.*                                                   /var/log/mail.log
ftp.*                                                      /var/log/ftp.log
install.*                                                 /var/log/install.log
install.*                                               @127.0.0.1:32376
local0.*                                                 /var/log/airport.log
local1.*                                                 /var/log/ipfw.log
local2.*                                                 /var/log/airport.log
local3.*                                                 /var/log/airport.log
local4.*                                                 /var/log/airport.log
local5.*                                                 /var/log/airport.log
local6.*                                                 /var/log/airport.log
local7.*                                                 /var/log/router.log
*.emerg                                                  *

The most important part of all this is that the files referenced exist in the directory you outline and you have given them the correct permissions.  The ones that I have defined are the airport.log and the router.log.  The original intention was to have the wireless key rotations and user auth and associations be logged to the airport log file.  What has happened lately is that the Meraki FW's have decided to dump their flow reports there.  This is a result of a configuration setting that can be adjusted (Local0 seems to be the default) by going to the dashboard and under Alerts & Administration select the appropriate "role".  You can log Flows, URL's, Appliance Events and even IPS alerts.

Link to the documentation on this:
https://docs.meraki.com/display/MR/Syslog