Apple macOS kernel

NXLog supports different ways of collecting Apple macOS kernel logs:

  • Collect directly with the im_kernel module, which requires disabling syslogd.

  • Collect via the local log file with im_file; see Local syslog below.

    Example 1. Collecting kernel logs directly

    This configuration uses the im_kernel module to read events directly from the kernel (via /dev/klog). This requires that syslogd be disabled as follows:

    1. Unload the daemon.

      $ sudo launchctl unload /System/Library/LaunchDaemons/
    2. Rename plist to keep syslogd from starting again at the next reboot.

      $ sudo mv /System/Library/LaunchDaemons/ \
    <Extension _syslog>
        Module  xm_syslog
    <Input kernel>
        Module  im_kernel
        Exec    parse_syslog_bsd();

    Newer versions of Apple macOS use the unified logging system (ULS) with System Integrity Protection (SIP) which makes disabling syslogd cumbersome while SIP is enabled. For this setup, you can leverage the im_exec module to collect from /usr/bin/log stream --style=json --type=log.

    Example 2. Collecting ULS kernel logs from /usr/bin/log

    This configuration uses the im_exec module to read events from the kernel (via /usr/bin/log) and parses the data with the xm_json module.

    <Extension json>
        Module      xm_json
    <Extension multiline>
        Module      xm_multiline
        HeaderLine  /^\[{|^},{/
    <Input in>
        Module      im_exec
        Command     /usr/bin/log
        Arg         stream
        Arg         --style=json
        Arg         --type=log
        InputType   multiline
            $raw_event =~ s/^\[{|^},{/{/;
            $raw_event =~ s/\}]$//;
            $raw_event = $raw_event + "\n}";

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 21 January 2021