Configuring macOS Log Forwarding to Nagios Log Server on Apple Silicon Macs

Picture of Jack Brisben
Jack Brisben
applesilicon

Sending Logs from Apple Silicon macOS to Nagios Log Server

This guide explains how to configure an Apple Silicon-based macOS system (e.g., M1, M2, or later) to forward logs to Nagios Log Server for centralized log management and real-time monitoring. We’ll use rsyslog to forward logs, as macOS’s native syslogd has limited remote forwarding capabilities.

Prerequisites

Before starting, ensure you have:

  • Nagios Log Server installed and running (latest version, e.g., 2024R2 recommended).
  • An Apple Silicon-based macOS device (macOS 11 Big Sur or later) with administrator privileges.
  • Network access between the Mac and the Nagios Log Server instance.
  • The IP address and port (default: 514) of your Nagios Log Server.

Why Use Nagios Log Server?

Nagios Log Server provides:

  • Centralized log collection and management.
  • Real-time analysis with dashboards and alerts.
  • Scalability with clustering and failover.
  • Compatibility with macOS logs via syslog.

Key Logs to Monitor

Nagios Log Server can collect:

  • System Logs: System.log, Kernel.log.
  • Application Logs: App-specific logs.
  • Security Logs: Auth.log, firewall logs.
  • Performance Logs: CPU, memory, and disk activity.

Installation and Setup

Step 1: Enable macOS Logging

macOS uses the unified logging system (log command) and syslogd.

  • Verify Logging is Active:
    1. Open Terminal.
    2. Check the live log stream:
log stream --level info
  1. Press Ctrl+C to exit.

Check Syslogd: Verify syslogd is running:

sudo launchctl list | grep syslogd

If not running, load it:

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

Step 2: Install and Configure rsyslog

Since macOS’s syslogd doesn’t natively support robust remote forwarding, install rsyslog via Homebrew.

  • Install Homebrew: On Apple Silicon, Homebrew installs to /opt/homebrew/:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Add Homebrew to your PATH:

echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zshrc
source ~/.zshrc

Install rsyslog:

brew install rsyslog

Configure rsyslog: Edit the configuration file:

sudo nano /opt/homebrew/etc/rsyslog.conf

Add the following to forward logs to Nagios Log Server:

*.* @<logserver_ip>:514    # UDP
# OR
*.* @@<logserver_ip>:514   # TCP (preferred if supported)

Replace <logserver_ip> with your Nagios Log Server’s IP (e.g., 192.168.1.100).

Enable modules (uncomment or add at the top):

module(load="imuxsock")    # Local system logs
module(load="imklog")      # Kernel logs

Save and exit (Ctrl+X, Y, Enter).

Start rsyslog:

sudo brew services start rsyslog

Verify it’s running:

ps aux | grep rsyslogd

Firewall Check: If macOS’s firewall is enabled (System Settings > Network > Firewall), allow outbound traffic on port 514 (UDP or TCP).

Step 3: Configure Nagios Log Server

Set up Nagios Log Server to receive logs:

  1. Log into the Nagios Log Server web interface (e.g., http://<logserver_ip>:80).
  2. Go to Configure > Configuration Editor.
  3. Under Log Sources, add a new source:
add log source screenshot 720 1
Configuring Logs
  • Type: Syslog (UDP or TCP, matching your rsyslog config).
  • IP Address: Your Mac’s IP (find with ifconfig | grep inet).
  • Port: 514 (default).
  • Save and apply the configuration.

Step 4: Verify Log Collection

  • Test Log Forwarding: On the Mac, generate a test log:
logger "Test log from macOS (Apple Silicon) to Nagios Log Server"

Check Nagios Log Server:

  1. Go to Home > Dashboards or Reports.
  2. Look for the test message from your Mac’s IP.
  • If it doesn’t appear:
    • Verify the server is listening on port 514 (netstat -an | grep 514 on the server).
    • Test connectivity (ping <logserver_ip> from the Mac).
    • Check macOS firewall settings.

Best Practices

  • Alerts: In Nagios Log Server, set up alerts (e.g., for failed logins) via Configure > Alerts.
  • Dashboards: Customize dashboards to visualize macOS log trends.
  • Secure Forwarding: For production, use TCP with TLS:

Add to rsyslog.conf:

$ActionForwardDefaultTemplate RSYSLOG_SyslogProtocol23Format
  • Configure TLS in Nagios Log Server (see official docs).

Log Rotation: macOS handles local rotation via newsyslog; configure retention in Nagios Log Server.

Conclusion

Your Apple Silicon macOS system is now forwarding logs to Nagios Log Server using rsyslog. This setup leverages Nagios Log Server’s powerful log analysis, alerting, and visualization features. For advanced monitoring, explore Nagios Log Server’s documentation or integrate with Nagios XI for broader system oversight.

For more details, check:

Share:
On this page
    Tags
    Related Articles
    Share:

    Products

    Nagios XI

    Nagios CSP

    Nagios Log Server

    Nagios Network Analyzer

    Nagios Fusion

    Projects

    Nagios Core

    Nagios Plugins

    NSClient++

    NDOUTILS

    NCPA

    NRPE

    NRDP

    Resources

    Documentation

    Developer Corner

    Video Tutorials

    Changelog

    Solutions

    Tech Tips

    Training

    Support

    Knowledgebase

    Nagios Forum

    Support Home

    Support Tips

    Get Support

    Customer Portal

    Community

    World Conference

    Bounty Program

    MVP Awards

    Nagios Exchange

    Articles

    Get Involved

    Company

    Story of Nagios

    Nagios Alternatives

    Why Nagios?

    The Nagios Team

    Careers

    Contact Us

    Contact Sales

    Downloads

    Nagios Enterprises, LLC | Website Copyright © 2009 - . All rights reserved.

    Github Facebook-f Youtube Linkedin-in X-twitter