Apple macOS kernel
NXLog supports different ways of collecting Apple macOS kernel logs:
-
Collect directly with the im_kernel module, which requires disabling syslogd.
-
Collect via the local log file with im_file; see Local syslog below.
Example 1. Collecting kernel logs directlyThis configuration uses the im_kernel module to read events directly from the kernel (via
/dev/klog
). This requires that syslogd be disabled as follows:-
Unload the daemon.
$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
-
Rename plist to keep syslogd from starting again at the next reboot.
$ sudo mv /System/Library/LaunchDaemons/com.apple.syslogd.plist \ /System/Library/LaunchDaemons/com.apple.syslogd.plist.disabled
nxlog.conf<Extension _syslog> Module xm_syslog </Extension> <Input kernel> Module im_kernel Exec parse_syslog_bsd(); </Input>
Newer versions of Apple macOS use the unified logging system (ULS) with System Integrity Protection (SIP) which makes disabling syslogd cumbersome while SIP is enabled. For this setup, you can leverage the im_exec module to collect from
/usr/bin/log stream --style=json --type=log
.Example 2. Collecting ULS kernel logs from /usr/bin/logThis configuration uses the im_exec module to read events from the kernel (via
/usr/bin/log
) and parses the data with the xm_json module.nxlog.conf<Extension json> Module xm_json </Extension> <Extension multiline> Module xm_multiline HeaderLine /^\[{|^},{/ </Extension> <Input in> Module im_exec Command /usr/bin/log Arg stream Arg --style=json Arg --type=log InputType multiline <Exec> $raw_event =~ s/^\[{|^},{/{/; $raw_event =~ s/\}]$//; $raw_event = $raw_event + "\n}"; parse_json(); </Exec> </Input>
-