Open alexpts opened 7 years ago
jalogisch
commented
7 years ago do you mean that this page should be updated?
http://docs.graylog.org/en/2.2/pages/sending_data.html
We would like to merge a PR that include the given information from your end.
alexpts
commented
7 years ago Yes! I do not know what need to add to /etc/asl.conf
Current doc doesn`t work for masOS siera.
joschi
commented
7 years ago @alexpts Apple introduced "Unified Logging" in macOS Sierra, see https://developer.apple.com/library/prerelease/content/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html#//apple_ref/doc/uid/TP40017145-DontLinkElementID_73 for details.
We currently don't have the capacity to update the documentation, but if you know how to set up remote logging in macOS Sierra, please create a pull request for it.
joschi
commented
6 years ago @mevans845 Any contribution is welcome! 👍
jabenninghoff
commented
6 years ago Sadly, it looks like all versions of macOS with Unified Logging, including Sierra, High Sierra, and Mojave, don't support any practical method for centralized logging. Well summarized in these 2 articles:
https://eclecticlight.co/2018/03/21/macos-unified-log-3-finding-your-way/ https://eclecticlight.co/2018/06/08/the-unified-log-in-macos-mojave-signposts-and-instruments/
Edit: from the first article, you might be able to use log stream, but that would be inelegant to say the least.
joschi
commented
6 years ago @jabenninghoff @mevans845 I could imagine using log stream --style json and some kind of log shipper akin to Filebeat for shipping the messages to Graylog.
loceee
commented
6 years ago I am interested to see what approach you take on this! 👍
xq1xq1xq1
commented
6 years ago I added a line into /etc/syslog.conf which works sending it towards debian syslog server
Will this survive a restart or upgrade?
johlym
commented
6 years ago @xq1xq1xq1 It will survive a restart but not an upgrade.
Hey folks, I work at Papertrail and this is a problem we've been trying to solve, too, with little success. The closest I've been able to come with Unified Logging is to run something that can consume STDOUT from log stream, manipulate it, and forward it. NXLog has been fine so far, in the relay department, but I haven't managed to work on a transformer that will massage the incoming lines effectively. Some entries from log stream are multi-line. even with --style set to either syslog or son, not all events seem to adhere to that argument.
I'm almost ready to say sending Unified logs to a remote location is a lost cause given how much effort Apple has put into keeping the logs within their ecosystem.
jalogisch
commented
6 years ago @johlym thank you for the update. If some kind of own tool would be provided it would be fine - but to have everything designed against modern infrastructure managment is not the best move.
I guess it would be time to start to write a beat that collects the logs and send it to the central. Same as happened to the journald beat.
Maybe this can help: http://support.loomsystems.com/sources/streaming-logs-from-mac-using-filebeat
MacOS siera not used /etc/syslog.conf.
For masOS Siera need configure file /etc/asl.conf
Need update docs or add new paragraph for macOS