Specifications
Chapter 19 Configuring and Managing System Logging 299
Remote Logging
Using remote logging in addition to local logging is strongly recommended for any
server system, because local logs can easily be altered if the system is compromised.
Several security issues must also be considered when making the decision to use
remote logging:
 The syslog process sends log messages as clear text, which could expose sensitive
information.
 Too many log messages can fill storage space on the logging system, making further
logging impossible.
 Log files can indicate suspicious activity only if a baseline of normal activity has been
established, and if the files are regularly monitored for such activity.
If these security issues outweigh the security benefit of remote logging, do not use
remote logging.
Configuring Remote Logging on a Client Computer
To configure a client computer for remote logging, alter the syslog.conf configuration
file. The following instructions assume that a remote log server has been configured on
the network.
To enable remote logging:
1 On the client computer, open the /etc/syslog.conf file with root privileges.
2 Add the following line to the top of the file, replacing your.log.server with the name or
IP address of the log server and keeping all other lines intact:
*.* @
your.log.server
3 Exit, saving changes.
4 Send a hangup signal to syslogd to make it reload the configuration file:
$ sudo killall - HUP syslogd
Configuring Remote Logging on a Server
The remote logging software included with Mac OS X Server is the syslog daemon
syslogd. This service accepts and stores log messages from other systems on the
network. If another system is compromised, its local logs can be altered, so the log
server might contain the only accurate system records.
Only enable remote logging across a trusted internal network or VPN.
By default, Mac OS X Server performs only local logging and does not act as a log
server.