MacOS – How to change configure system.log file in macOS

macmacosSecurity

This is my first time to using a Mac, some macOS settings need to edit due to Security Audit.

We are using macOS 10.9 to 10.12 version in 10 of iMac, we’ve had an problem is how to keep long time record for “system.log”?

Mar 13 09:18:44 BSHK001110.local authorizationhost[8125]: Failed to authenticate user <admin> (error: 9).
Mar 13 09:18:45 BSHK001110.local authorizationhost[8125]: Failed to authenticate user <admin> (error: 9).
Mar 13 09:18:45 BSHK001110.local authorizationhost[8125]: Failed to authenticate user <admin> (error: 9).

In my observation, system.log will rebuild by script if the Macs don't shutdown at night and log file only keep around one day data.

Is there any chance to change specific date (one month) to rebuild system.log file and keep one month data?

Remarks:
I have upgraded macOS 10.13.3 and found that there is no record about "Failed to authenticate". Is there any problem in macOS 10.13?

Best Answer

Your settings for for the syslog are found in /etc/asl.conf.

There's a section that governs how the system log operates.

# Rules for /var/log/system.log
> system.log mode=0640 format=bsd rotate=seq compress file_max=5M all_max=50M
? [= Sender kernel] file system.log
? [<= Level notice] file system.log
? [= Facility auth] [<= Level info] file system.log
? [= Facility authpriv] [<= Level info] file system.log

Specifically, the log will rotate (by default) when it hits 5M in size, not overnight and the whole set of log files will rotate when it hits 50M cumulatively (10 files in total). If you wan to increase the size, just edit the line as you see fit.

> system.log mode=0640 format=bsd rotate=seq compress file_max=5M all_max=50M

I wouldn't increase the size of the individual files themselves, but rather the collective total.

That said, if you are collecting logs for a number of machines, you should be using a syslog server.

Related Question