Apple macOS kernel

NXLog supports different ways of collecting Apple macOS kernel logs:

  • Collecting directly with the im_kernel module, which requires disabling syslogd.

  • Collecting via the local log file with im_file; see the Local syslog documentation.

Example 1. Collecting kernel logs directly

This configuration uses the im_kernel module to read events directly from the kernel (via /dev/klog). This requires that syslogd be disabled as follows:

  1. Unload the daemon.

    $ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
  2. Rename plist to keep syslogd from starting again at the next reboot.

    $ sudo mv /System/Library/LaunchDaemons/com.apple.syslogd.plist \
      /System/Library/LaunchDaemons/com.apple.syslogd.plist.disabled
nxlog.conf
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input kernel>
    Module  im_kernel
    Exec    parse_syslog_bsd();
</Input>

Newer versions of Apple macOS use the Unified Logging System (ULS) with System Integrity Protection (SIP) which makes disabling syslogd cumbersome while SIP is enabled. The im_maculs module natively collects Apple logs from Apple’s ULS on macOS.

For this setup, you can leverage the im_exec module to collect from /usr/bin/log stream --style=json --type=log.

Example 2. Collecting ULS kernel logs from /usr/bin/log

This configuration uses the im_exec module to read events from the kernel (via /usr/bin/log) and parses the data with the xm_json module.

nxlog.conf
<Extension json>
    Module        xm_json
</Extension>

<Extension multiline>
    Module        xm_multiline
    HeaderLine    /^\[{|^},{/
</Extension>

<Input in>
    Module        im_exec
    Command       /usr/bin/log
    Arg           stream
    Arg           --style=json
    Arg           --type=log
    InputType     multiline
    <Exec>
        $raw_event =~ s/^\[{|^},{/{/;
        $raw_event =~ s/\}]$//;
        $raw_event = $raw_event + "\n}";
        parse_json();
    </Exec>
</Input>
Output sample
{
  "traceID" : 1560692331642884,
  "eventMessage" : "LQM-WIFI-CT: ofdmDesense=0 bphyDesense=0 reason=0x0",
  "eventType" : "logEvent",
  "source" : null,
  "formatString" : "LQM-WIFI-CT: ofdmDesense=%d bphyDesense=%d reason=0x%x\n",
  "activityIdentifier" : 0,
  "subsystem" : "",
  "category" : "",
  "threadID" : 695198,
  "senderImageUUID" : "F4EA47DC-EFC5-38A9-915B-2B96EC70A5D4",
  "backtrace" : {
    "frames" : [
      {
        "imageOffset" : 770864,
        "imageUUID" : "F4EA47DC-EFC5-38A9-915B-2B96EC70A5D4"
      }
    ]
  },
  "bootUUID" : "",
  "processImagePath" : "\/kernel",
  "timestamp" : "2022-05-26 15:00:39.133887+0300",
  "senderImagePath" : "\/System\/Library\/Extensions\/IO80211Family.kext\/Contents\/MacOS\/IO80211Family",
  "machTimestamp" : 5758678081262,
  "messageType" : "Default",
  "processImageUUID" : "C44613B0-01A6-3609-A18D-29AC6CE3DAAF",
  "processID" : 0,
  "senderProgramCounter" : 770864,
  "parentActivityIdentifier" : 0,
  "timezoneName" : ""
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog version 5.5.7535
Apple macOS 12.4 (Monterey)

Last revision: 26 May 2022