Help

Log Retention with asl.conf

Jason
Contributor II

Posted on ‎04-27-2015 09:08 AM

I'm using asl.conf to set system.log retention. I'm noticing on my Yosemite system that logs aren't being retained as long as i have configured though.

# Rules for /var/log/system.log 
> system.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=180

That should rotate the system.log file out daily following UTC time, compress it, and ensure the file size is 5MB max. It should then keep those retained logs for 180 days. But looking at my system the logging only goes back 4 days:
system.log
system.log.2015-04-22T12:16:22Z.gz
system.log.2015-04-23T11:52:54Z.gz
system.log.2015-04-24T11:46:51Z.gz

The 26th and 27th the system was off. Is there something i'm missing? Looking at the oldest archive i can see it does indeed only go back to about 8am on the 22nd, and the log file is only 777Kb so it's not hitting any max.

Thanks

0 Kudos
Reply
9 REPLIES 9

gachowski
Valued Contributor II

Posted on ‎04-27-2015 07:09 PM

Jason,

I cribbed my log retention from The CIS doc .. It's not that great but might help you a little..

http://www.cisecurity.org

I do know we have issues with X.9 not stopping at max file size, but I haven't gotten any feedback on X.10

C

0 Kudos
Reply

Jason
Contributor II

Posted on ‎04-28-2015 05:18 AM

@gachowski That's what I've based mine off of as well. You can see that against the remediation listed below (from the 10.10 v1 doc), mine matches up, except it's been set to 180 days instead of 90.

Perform the following to ensure the system is configured as prescribed: 1. Run the following command in Terminal: 
grep -i ttl /etc/asl.conf
2. Verify that the ttl for system.log is greater than 90 days Remediation: Perform the following to implement the prescribed state: 1. Run the following command in Terminal: 
sudo vim /etc/asl.conf
2. Replace or edit the current setting with a compliant setting 
> system.log mode=0640 format=bsd rotate=utc compress file_max=5M ttl=90
0 Kudos
Reply

mthakur
Contributor

Posted on ‎12-01-2015 03:16 PM

@Jason So did you resolve the issue of your ttl not being honored? If so how?
If you can extract your current asl.conf setting and post it, that would be great.
Thank you!

0 Kudos
Reply

Jason
Contributor II

Posted on ‎12-02-2015 06:42 AM

There is a bug in Yosemite (haven't looked at El Cap yet, but likely there as well) where log retention/rotation is not working as described in the man pages. I have an open AppleCare case that still has engineering looking at it. There is a workaround to get logs to be retained and rotated on a daily basis. Editing the top of asl.log to look like this:

##
# configuration file for syslogd and aslmanager
##
#= aslmanager_debug 1
#= module_ttl 180

I still cannot get rotation to occur on a schedule other than daily though. i.e. if i want logs to rotate weekly, monthly, or based on size. For some reason whatever i put in newsyslog.conf for rotation gets ignored. AppleCare is still working on that part.

0 Kudos
Reply

mistacabbage
Contributor

Posted on ‎05-08-2017 12:47 PM

Did Apple ever fix the TTL setting? Is it working on macOS 10.12 Sierra?

0 Kudos
Reply

mistacabbage
Contributor

Posted on ‎05-08-2017 12:47 PM

Did Apple ever fix the TTL setting? Is it working on macOS 10.12 Sierra?

0 Kudos
Reply

gachowski
Valued Contributor II

Posted on ‎05-08-2017 01:18 PM

I have been told that fixes have been made not sure if it's TTL or other issues. Also I think the logging architecture was rewritten/replaced/improved in Sierra.

C

0 Kudos
Reply

mthakur
Contributor

Posted on ‎01-17-2018 04:07 PM

Bump...

Has anyone gotten log file rotation > 7 days to work in Sierra?

Anyone? Anyone? Bueller?

0 Kudos
Reply

donmontalvo
Esteemed Contributor III

Posted on ‎04-11-2018 07:53 AM

What's New in macOS | macOS Sierra 10.12

0544622baf344b0bb42d0bab34b38336

Did some digging last night, found the default might be stored here as a TTL DEFAULT value:

# defaults read /System/Library/Preferences/Logging/Subsystems/com.apple.mac.install.plist                    
{
    BridgeOSInstall =     {
        "Default-Privacy-Setting" = Public;
    };
    "DEFAULT-OPTIONS" =     {
        "Enable-Oversize-Messages" = 1;
        "Event-Log" =         {
            Enabled = Inherit;
        };
        Level =         {
            Enable = Info;
            Persist = Info;
        };
        TTL =         {
            Default = 30;
        };
    };
    EmbeddedOSInstall =     {
        "Default-Privacy-Setting" = Public;
        "Event-Log" =         {
            Enabled = 1;
        };
    };
    EmbeddedOSSerial =     {
        "Default-Privacy-Setting" = Public;
    };
    OSPersonalization =     {
        "Default-Privacy-Setting" = Public;
    };
}

Haven't yet come up with a way to change TTL value.

--
https://donmontalvo.com
Reply