I’m capturing a logs of logs across my Linux systems, they all traditionally used syslog daemon and more recently rsyslog or syslog-ng. I wanted to research message logging in macOS and found the setup to be interesting enough.
First big difference is that the primary configuration file for syslog daemon is no longer /etc/syslog.conf. This is what it says when you open it:
Really cool! Apparently for quite some time, macOS has been logging everything using Aple System Log approach - meaning there are libraries of functions written specifically for logging messages, keeping track of message databases (they’re in binary format, ASL files) and providing output into cleartext log files.
More recently there’s os_log interface for working with log messages, but it still relies on ASL mechanism I think.
Here’s the typical /etc/asl.conf file on my macOS:
In addition to it, there’s quite a few software or service specific configuration files in /etc/asl directory - something very similar to rsyslog include files by function, but looking very different, just like the asl.conf file itself:
I’ve never seen this before but could find my way around configuring ASL logging very quickly, because a lot of things are quite intuitive:
We configure file permissions, format and rotation rules for system.log file and then define filters for the messages that we want it that log file: they must be kernel messages, have specific facilities (kinds of messages) and log level (notice).
I think I’ll do another post on ASL soon enough, explaining this in more detail.
I would say ASL has a really cool and very readable approach to configuring logging needs. It’s superiour to traditional syslog format.
rsyslog, which I’m finding in most Linux distros these days, is safe: it has a new syntax for configuration files that is just as easy and just as meaningful. So while ASL is clearly better than old syslog, it’s quite comparable to newer rsyslog when it comes to both functionality and configuration language.