Anyone knows how to start Syslogd server on Mac to accept remote logging messages?
I started Syslogd, but seems it doesn't accept remote messages.
If I do a netstat -an it looks like udp port 514 is listening. However, if I scan the server from my laptop using nmap then I don't see udp 514. It's likely the port is being blocked somewhere. I have checked ipfw but it does not look like any rules defined.
I've seen lots of articles say that have to specify -r option. Is this the same on Mac?
How to do that on Mac?
Syslogd should already be running on your system; what you need to do is enable its UDP listening option. This is controlled by a section near the end of /System/Library/LaunchDaemons/com.apple.syslogd.plist; remove the comment markers so that it looks like this:
<!--
Un-comment the following lines to enable the network syslog protocol listener.
-->
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
</dict>
</dict>
</plist>
And then reload the syslogd daemon either by rebooting, or by running:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
UPDATE: Starting in OS X v10.7, Apple switched com.apple.syslogd.plist to a binary plist format, which doesn't include the relevant comment, and isn't editable as plain text. With the new format, PlistBuddy seems to be the easiest way to add the listener:
cd /System/Library/LaunchDaemons
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener dict" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockServiceName string syslog" com.apple.syslogd.plist
sudo /usr/libexec/PlistBuddy -c "add :Sockets:NetworkListener:SockType string dgram" com.apple.syslogd.plist
sudo launchctl unload com.apple.syslogd.plist
sudo launchctl load com.apple.syslogd.plist
A bit old, but I did have to do this today and whilst searching around for a simple piece of software to do this for me I came across this question.
All I really wanted to do was watch some syslog entries for a short period of time and see what was coming from the server so what I ended up doing was:
sudo tcpdump -lns 0 -w - udp and port 514 | strings
This will simply print out any message that is sent to your machine on the output so you can display it.
Anyway if you do this and it outputs messages that are being transmitted to your server you can be sure it's not being blocked by your firewall or any other hardware in the middle.
Related
I am using the following to try and ssh tunnel to a remote machine via a master one:
ssh -J username1#1.2.3.4 username2#5.6.7.8 -L 5900:localhost:5900
Password:
Password:
bind [::1]:5900: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 5900
Could not request local forwarding.
This works perfectly on Mojave (executing vnc://localhost afterwards in a new Terminal window). But in Catalina, no. I get: You cannot control your own screen.
About port 5900 already in use, I ran sudo lsof -i tcp:5900 and I can't see any process using that port.
I finally made tunnelling work in Catalina:
First ssh -J username1#1.2.3.4 username2#5.6.7.8 -L 5901:localhost:5900.
Then open 'vnc://localhost:5901' in a new Terminal window.
I would like to use snmp to monitor my localhost and have installed the corresponding package on Ubuntu 18.03 with apt install snmp. Without having changed the default configuration, I have launched the daemon with systemctl start snmpd. After launching the daemon the output of lsof -i -n | grep snmpd is as follows:
snmpd 14668 Debian-snmp 12u IPv4 13252990 0t0 UDP 127.0.0.1:snmp
snmpd 14668 Debian-snmp 13u IPv4 13252988 0t0 UDP *:41898
I am wondering about the second line of the output as the port has been opened to the outside. Restarting the daemon changes the open port to another (randomized?) high port number. I have been looking up this behaviour a couple of hours and wasn´t able to find any explanation.
Can anybody explain to me whats going on here or how to disable/remove the open port?
Configuration
AgentAdress is configured as follows:
# /etc/snmp/snmpd.conf
# Listen for connections from the local system only
agentAddress udp:127.0.0.1:161
The daemon has been launched with following options:
# /etc/default/snmp
# snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -p /run/snmpd.pid'
Output of ps aux | grep snmpd
/usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f
So, if anybody comes across the same question: The UDP port has been opened by snmp-traps. In order to avoid this behavior, I had to comment out following line in the snmpd.conf:
/etc/snmp/snmpd.conf
# ACTIVE MONITORING
# send SNMPv1 traps
# !comment this line out!
# trapsink localhost public
Read this link for further information: https://sourceforge.net/p/net-snmp/mailman/message/29219475/
I want to install Pseudo-Distributed HBase environment on my Mac OS Sierra (10.12.4), and it requires ssh installed and can log with ssh localhost without password. But sometimes I came across with error when I use ssh to log in. Above all are question background, and the actual question is where can I find debug logs of sshd so I could know why logging is failed in further?
As I know, Mac OS already have sshd installed and use launchd to manage it, and I know one way to output debug logs by sshd -E /var/log/sshd.log, but when I reviewed /etc/ssh/sshd_config configuration and there are two lines:
#SyslogFacility AUTH
#LogLevel INFO
I guess these two lines are used to config debug mode, then I removed # before them and set LogLevel to DEBUG3 and then restarted sshd:
$ launchctl unload -w /System/Library/LaunchDaemons/ssh.plist
$ launchctl load -w /System/Library/LaunchDaemons/ssh.plist
And then I set log path in /etc/syslog.conf:
auth.*<tab>/var/log/sshd.log
<tab> means tab character here, and reloaded the config:
$ killall -HUP syslogd
But sshd.log file can not be found in /var/log folder when I executed ssh localhost. I also tried config the /etc/asl.log:
> /var/log/sshd.log format=raw
? [= Facility auth] file sshd.log
And the result was the same, can someone help me?
Apple, as usual, decided to re-invent the wheel.
In super-user window
# log config --mode "level:debug" --subsystem com.openssh.sshd
# log stream --level debug 2>&1 | tee /tmp/logs.out
In another window
$ ssh localhost
$ exit
Back in Super-user window
^C (interrupt)
# grep sshd /tmp/logs.out
2019-01-11 08:53:38.991639-0500 0x17faa85 Debug 0x0 37284 sshd: (libsystem_network.dylib) sa_dst_compare_internal <private>#0 < <private>#0
2019-01-11 08:53:38.992451-0500 0xb47b5b Debug 0x0 57066 socketfilterfw: (Security) [com.apple.securityd:unixio] open(/usr/sbin/sshd,0x0,0x1b6) = 12
...
...
In super-user window, restore default sshd logging
# log config --mode "level:default" --subsystem com.openssh.sshd
You can find it in /var/log/system.log. Better if you filter by "sshd":
cat /var/log/system.log | grep sshd
Try this
cp /System/Library/LaunchDaemons/ssh.plist /Library/LaunchDaemons/ssh.plist
Then
vi /Library/LaunchDaemons/ssh.plist
And add your -E as shown below
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
<string>-E</string>
<string>/var/log/system.log</string>
</array>
And lastly restart sshd now you will see sshd logs in /var/log/system.log
launchctl unload /System/Library/LaunchDaemons/ssh.plist && launchctl load -w /Library/LaunchDaemons/ssh.plist
I also had an ssh issue that I wanted to debug further and was not able to figure out how to get the sshd debug logs to appear in any of the usual places. I resorted to editing the /System/Library/LaunchDaemons/ssh.plist file to add a -E <log file location> parameter (/tmp/sshd.log, for example). I also edited /etc/ssh/sshd_config to change the LogLevel. With these changes, I was able to view the more verbose logs in the specified log file.
I don't have much experience with MacOS so I'm sure there is a more correct way to configure this, but for lack of a better approach this got the logs I was looking for.
According to Apple's developer website, logging behavior has changed in macOS 10.12 and up:
Important:
Unified logging is available in iOS 10.0 and later, macOS 10.12 and later, tvOS 10.0 and later, and watchOS 3.0 and later, and supersedes ASL (Apple System Logger) and the Syslog APIs. Historically, log messages were written to specific locations on disk, such as /etc/system.log. The unified logging system stores messages in memory and in a data store, rather than writing to text-based log files.
Unfortunately, unless someone comes up with a pretty clever way to extract the log entries from memory or this mysterious "data store", I think we're SOL :/
There is some sshd log in
/var/log/system.log
for example
Apr 26 19:00:11 mac-de-mamie com.apple.xpc.launchd[1] (com.openssh.sshd.7AAF2A76-3475-4D2A-9EEC-B9624143F2C2[535]): Service exited with abnormal code: 1
Not very instructive. I doubt if more can be obtained. LogLevel VERBOSE and LogLevel DEBUG3 in sshd_config do not help.
According to man sshd_config :
"Logging with a DEBUG level violates the privacy of users and is not recommended."
By the way, I relaunched sshd not with launchctl but with System preference Sharing, ticking Remote login.
There, I noticed the option : Allow access for ...
I suspect this settings to be OUTSIDE /etc/ssh/sshd_config
(easy to check but I have no time).
Beware that Mac OS X is not Unix : Apple developpers can do many strange things behind the scene without any care for us command line users.
when I run this in terminal:
lsof -n -i4TCP:8081
I get this
node 10901 me 28u IPv6 0xbcad49 0t0 TCP *:sunproxyadmin (LISTEN)
foo 11957 me 15u IPv4 0xbcad49 0t0 TCP 127.0.0.1:61127->127.0.0.1:sunproxyadmin (CLOSE_WAIT)
What is this sunproxyadmin?
Per http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8081, TCP port 8081 is the well known port for sunproxyadmin the same way 80 is the well known port for http. In this case, you have a node process that is listening on port 8081, but lsof is trying to be helpful and show the well known port for this. Under linux, this is defined in /etc/services; I would expect OS X is similar.
Edit 1: Note that per Apple Man Pages, passing -P
inhibits the conversion of port numbers to port names for network files.
Inhibiting the conversion may make lsof run a little faster. It
is also useful when port name lookup is not working properly.
This should cause lsof to not print out the confusing sunproxyadmin for something that just happens to use the port that Sun registered.
Edit 2: The second column in your response (e.g. 10901 in the first row, which is the one you want, and 11957 in the second row) should be the process ID. If you do ps aux | grep 10901 (or ps elf | grep [pid], as I can't remember which works right for OSX and don't have it handy) you should get something like:
apache 19783 0.0 0.2 251888 8580 ? S Oct07 0:00
/usr/sbin/httpd -DFOREGROUND
(or to make something up:
nodeuser 10901 0.0 0.2 251888 8580 ? S Oct07 0:00 node index.js
)
You can kill it with kill -9 10901 (or whatever the PID was) though you might find it comes back if it's running as a service or what.
This is useful enough to add to your bash profile:
function findbyport()
{
sudo lsof -P -iTCP:$1 -sTCP:LISTEN
}
Kill it, do in your terminal
sudo lsof -i :8081
from there get the PID number and then run
kill -9 <PID NUMBER>
You can check on FB documentation for more info
If you don't want to kill sunproxyadmin process, let try to start React native in different port with command:
react-native start --port your_port
Then open Dev settings (see how to open dev menu), and modify Debug server host & port for device to: your_local_ip:your_port
There is this MACAFEE antivirus running on my Mac. I am able to kill it(Even though I should not be killing it, I tried it, and looks like it never dies! Sudo has no power after all!).So after a lot of research I have tried this one.
Step 1 : Get the process' PID
sudo lsof -n -i4TCP:8081
Step 2 : Find the launchd endpoint
sudo launchctl list | grep
Step 3 : Remove mcafee
sudo launchctl remove com.mcafee.agent.macmn
If this one works for you pls say thanks to me and as well as https://fantashit.com/unable-to-perform-react-native-start/
I am running rsync as a LaunchDaemon from an osx 10.6.8 workstation to back up data to an Ubuntu 11.1 server. Since I am putting my plist file in /Library/LaunchDaemons, it runs as root. Unfortunately, it fails because the command requires the root password of the server. When I run it using myself as a user, rsync uses the ssh key I've set up between the two machines for my account but unfortunately, it fails building a full file list on my osX machine because I do not have the permissions to list other user's directories.
I can see a couple of possibilities, neither of which I know how to do:
-1- On osx, how can I give myself the permissions to list other users' directories so I can run the daemon under my own user name?
OR
-2- If I run the rsync daemon as root, can I set up ssh keys between the root accounts of both machines in a safe way? Alternatively, can I automatically feed the password to the deamon job in a relatively safe way?
I see two easy possibilities for using your key under the root account:
Copy your ssh key into the root account's ssh directory (/var/root/.ssh).
Specify your ssh key explicitly in the ssh command, something like this:
<key>ProgramArguments</key>
<array>
<string>/usr/bin/rsync</string>
<string>-i</string>
<string>/Users/thomashollier/.ssh/id_rsa</string>
<string>...etc...</string>
<array>
Thanks for the tip. I copied my key over to the server's proper location for the root ssh key. I was able to ssh and rsync from my osX machine to the server on the command line but not directly from my launchDaemon. The rsync command on the command line required the -e "ssh -i /path/to/my/key/id_dsa" argument and I haven't figured out how to include these quotes in the plist file other than feeding it a bash command as follows:
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>-c</string>
<string>/usr/bin/rsync -avz /Users/myusername/Documents -e "ssh -i /Users/myusername/.ssh/id_dsa" server:/media/Backup/backup/</string>
</array>