How do I send Syslog messages from macOS to EventSentry?

The Syslog daemon (syslog) on macOS is configured through the /etc/syslog.conf configuration file. Follow the steps below to send all Syslog messages from an macOS machine to EventSentry.

Open the file /etc/syslog.conf in an editor.

sudo nano /etc/syslog.conf

Append the following line to the bottom:

*.* @eventsentryserver:514

Restart the syslog daemon:
sudo launchctl stop /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl start /System/Library/LaunchDaemons/com.apple.syslogd.plist

An alternate method to reload the syslog configuration is to send a HUP signal which will force syslogd to reload the configuration.

$ ps -ef |grep syslogd
    0    134     1   0 19Jul23 ??         10:40.23 /usr/sbin/syslogd
  501   4290  1645   0  10:48AM ttys001    0:00.01 grep syslogd

Use the PID, which in this case is 134, to send the HUP command to the syslogd process.
sudo kill -HUP 134

Please note the macOS system sending the logs will need to be added to one of your EventSentry groups.

Notes:

Replace "eventsentryserver" with the host name or IP address of the host where EventSentry's network services service is installed and running. We recommend that you create a CNAME record (e.g. "syslog", "log", "eventsentry") on your DNS server and use that alias in the configuration files.

It is not necessary to send all Syslog messages to EventSentry, e.g. the following lines only send critical messages to a host with the CNAME alias "eventsentry":

*.emerg   @eventsentry:514
*.alert   @eventsentry:514
*.crit    @eventsentry:514
*.err     @eventsentry:514
*.warning @eventsentry:514