I am trying to figure out how to allow the computers to keep the system.log, install.log, and a few other logs for 90 days. Apple's newsyslog.conf man is gone and I've searched and haven't had much luck. Can someone point me to the direction on how we can set this value, to keep certain logs for 90 days?
Question
Keeping Log Files for X days
+20
+15Myself, I added "module_ttl 180" to the top of /etc/asl.conf.
Other solutions/content at:
https://jamfnation.jamfsoftware.com/discussion.html?id=14243
+20If I wanted...
System.Log 90 Days and Install.Log 365 days would I just add it to the asl configuration? I've played with newsyslog and some of asl and had nothing. At this point its just for audit and they want to see the TTL age.
+20Whats the best way to edit the system log file to add ttl=90 to the line? Would you touch the file? Im looking for a way to script this so we can send these commands out to update the lines to add the ttl=XX.
+15sudo pico /etc/asl.confThe ^ symbol means control and the commands are at the bottom of the window. So Control O means save (write out) and Control-X means Exit.
EDIT: Oh sorry - you mean via Jamf Command. You'll want to use sed for that.
mv /etc/asl.conf /etc/asl.conf.orig
sed 's/all_max=50M/all_max=50M ttl=180/g' > /etc/asl.confuntested, but something like that should work. Be sure to check permissions.
+1Hey, i make this script to work on Catalina => Ventura, add "ttl=365" in "/etc/asl/com.apple.install". Hope it helps :
#!/bin/bash
installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
if [[ "$installRetention" = "" ]]; then
echo "Install Retention --> Not here"
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "Key modified"
elif [[ "$installRetention" -lt "365" ]]; then
echo "Install Retention --> NOK"
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "Key modified"
else
echo "Install Rentention is : $installRetention --> OK"
fi
Hey, i make this script to work on Catalina => Ventura, add "ttl=365" in "/etc/asl/com.apple.install". Hope it helps :
#!/bin/bash
installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"
if [[ "$installRetention" = "" ]]; then
echo "Install Retention --> Not here"
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "Key modified"
elif [[ "$installRetention" -lt "365" ]]; then
echo "Install Retention --> NOK"
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "Key modified"
else
echo "Install Rentention is : $installRetention --> OK"
fi
Hey, great script. Just had to make 1 change for our usage.
installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}'|cut -d" " -f1)"
The cut command basically finds any trailing white space after the search string, then truncates at that. So if the ttl isn't the last value in the list. We're not removing other settings.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.