Keeping Log Files for X days

Matt
Valued Contributor

I am trying to figure out how to allow the computers to keep the system.log, install.log, and a few other logs for 90 days. Apple's newsyslog.conf man is gone and I've searched and haven't had much luck. Can someone point me to the direction on how we can set this value, to keep certain logs for 90 days?

6 REPLIES 6

thoule
Valued Contributor II

Myself, I added "module_ttl 180" to the top of /etc/asl.conf.

Other solutions/content at:
https://jamfnation.jamfsoftware.com/discussion.html?id=14243

Matt
Valued Contributor

If I wanted...

System.Log 90 Days and Install.Log 365 days would I just add it to the asl configuration? I've played with newsyslog and some of asl and had nothing. At this point its just for audit and they want to see the TTL age.

Matt
Valued Contributor

Whats the best way to edit the system log file to add ttl=90 to the line? Would you touch the file? Im looking for a way to script this so we can send these commands out to update the lines to add the ttl=XX.

thoule
Valued Contributor II
sudo pico /etc/asl.conf

The ^ symbol means control and the commands are at the bottom of the window. So Control O means save (write out) and Control-X means Exit.

EDIT: Oh sorry - you mean via Jamf Command. You'll want to use sed for that.

mv /etc/asl.conf /etc/asl.conf.orig
sed 's/all_max=50M/all_max=50M ttl=180/g' > /etc/asl.conf

untested, but something like that should work. Be sure to check permissions.

AdrienPi
New Contributor II

Hey, i make this script to work on Catalina => Ventura, add "ttl=365" in "/etc/asl/com.apple.install". Hope it helps :

#!/bin/bash


installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}')"

if [[ "$installRetention" = "" ]]; then
echo "Install Retention --> Not here"
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed '$s/$/ ttl=365/' /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "Key modified"
elif [[ "$installRetention" -lt "365" ]]; then
echo "Install Retention --> NOK"
mv /etc/asl/com.apple.install /etc/asl/com.apple.install.old
sed "s/"ttl=$installRetention"/"ttl=365"/g" /etc/asl/com.apple.install.old > /etc/asl/com.apple.install
chmod 644 /etc/asl/com.apple.install
chown root:wheel /etc/asl/com.apple.install
echo "Key modified"
else
echo "Install Rentention is : $installRetention --> OK"
fi

 

GoodS
New Contributor

Hey, great script. Just had to make 1 change for our usage.

installRetention="$(grep -i ttl /etc/asl/com.apple.install | awk -F'ttl=' '{print $2}'|cut -d" " -f1)"

The cut command basically finds any trailing white space after the search string, then truncates at that. So if the ttl isn't the last value in the list. We're not removing other settings.