Looks to me like it's syslogd
itself causing the problem -- it's been sandboxed away from its data files, so when it tries to access them it generates a sandbox error, which gets handed to syslogd
, which triggers it to try to get at its files again... and this repeats as fast as syslogd
and sandboxd
can go.
Check the contents of /System/Library/LaunchDaemons/com.apple.syslogd.plist
(the launchd item that controls how syslogd is launched). It should have a section like this:
<key>ProgramArguments</key>
<array>
<!--
Un-comment the following lines to run syslogd with a sandbox profile.
Sandbox profiles restrict processes from performing unauthorized
operations; so it may be necessary to update the profile
(/usr/share/sandbox/syslogd.sb) if any changes are made to the syslog
configuration (/etc/syslog.conf).
-->
<!--
<string>/usr/bin/sandbox-exec</string>
<string>-f</string>
<string>/usr/share/sandbox/syslogd.sb</string>
-->
<string>/usr/sbin/syslogd</string>
</array>
Note that in the above example (taken from my Mac), the sandbox wrapper around syslogd is commented out. Is the same true on your Mac? If not, re-add the comment markers, and restart syslogd
(you can do this with launchctl
, but I'd just reboot the machine).
Another note: I took a look in the sandbox profile, /usr/share/sandbox/syslogd.sb
, and it looks (to my inexpert eyes) like it does deny mach-task-name
and access to /private/var/log/asl/StoreData
-- apparently, Apple hasn't debugged (/updated) the profile to match what syslogd
actually needs...
Best Answer
Clear the logs in /private/var/log - especially system.log. That file gets quite large. Then delete data in Macintosh HD/Users/"your user name"/Library/Logs. Delete everything in there. Next, go to Macintosh HD/Library/Logs and delete everything in there, too. It's safe to delete these log files and will not affect system performance.