faking out remote syslog via netcat

Here’s how to create UDP syslog messages via nc, netcat:

echo ‘<14>sourcehost message text’ | nc -v -u -w 0 localhost 514

Replace localhost with the syslog server, of course. “sourcehost” is a string identifying the source; can be anything. The 14 is a combination of the severity (low 3 bits) and the service (high N bits). 14 = 8 + 6 which means “user message, informational”. RFC 3164 has the relevant detail. The syslog protocol is remarkably ad hoc; you can leave out the priority and it should still work. And there’s a provision for adding timestamps to the source message too. Note that syslog may suppress duplicate messages, so that may be why subsequent tests don’t show up. Unfortunately the BusyBox version of nc bundled in to Tomato doesn’t have the -u flag.

I’m doing all this to try to debug Apple’s disastrous syslog server. It has some insane binary config file to enable remote logging, and then they couldn’t leave well enough alone with syslog so they had to rewrite the whole thing with aslmanager, a daemon so awesome that most of the Google search results for it are “why is this process taking 99% of my CPU?”. It is open source at least. Anyway, asl.conf has its own different format. And then it doesn’t fix the #1 problem with syslog, which is there’s no way to log the IP address of the originator of the message. Argh!

This annoyance may be the last straw for me trying to use MacOS as a Unix server. There’s just no good reason to leave the warm embrace of Linux / Ubuntu. A quick look suggests Ubuntu 12.04 will work fine on a late 2012 Mac Mini, albeit with some required hackery for the ethernet driver.