Asl rotating logs at midnight?

[dono42]

I have a Mini that runs 24/7. Recently upgrated to Big Sur and noticed the syslog and wifi logs are being rotated at midnight, I can see them in /var/log. They are not close to the rotate size limitations asl.conf. Where is this controlled? Second question how do I look at the rotated files in the console app? Apologizes if this is a RTFM, I am new to Big Sur, much refer Mojave.

 

[dono42]

Found answer to second question, find rotated files. Open Console right click on syslog -> Reveal in Finder, this opens /var/tmp, right click on file -> open with -> other, select Console.

 

[dono42]

Another piece to the puzzle. I notice a difference in the aslmanager logs (/var/log/asl/Logs) betweem the Mini that runs 24/7 and other Macs (Big Sur 11.6.8) there is a ASL module, com.apple.asl, that appears to over write the syslog rule in asl.conf and rotates the syslog log at midnight. I tried to "find" the module with no results.

 

[Brian33]

Here are some observations which might or might not help! Note that I'm on Monterey, though...

There seems to be two ways to specify log rotation -- in asl configuration files and in newsyslog configuration files. How they interact is unclear to me so far...

Regarding system.log:

I see the rules for /var/log/system.log in /etc/asl.conf and it looks like system.log should be rotated by size! I know that the files (I think they are called "modules") within /etc/asl override settings in /etc/asl.conf, but I see no files there relating to system.log or wifi.log. Thus the midnight rotation of system.log is still a mystery to me.

Regarding wifi log:

To me it appears that 'newsyslog' is responsible for this log rotation. See 'man newsyslog'. Configuration is in /etc/newsyslog.conf, AND the files in the /etc/newsyslog.d/ directory.

In there I see wifi.conf, which specifies "$D0" for the "when" field. Looking at 'man newsyslog.conf', it says that "$D0" means "rotate every night at midnight (same as @T00)". It also specifies the J flag which indicates it should be compressed.

I think you could modify /etc/newsyslog.d/wifi.conf to specify different log rotation criteria, like using the "size" field. See 'man newsyslog.conf' for the gory details!

Notably, I don't see a .conf file that specifies the system.log file rotation. But I think you could add one and it just might work!

 

[dono42]

Thanks @Brian33, I will add a /etc/newsyslog.d/system.conf file using the size field and we will see what happens. Agree the man pages do not define the behavior. Also no idea what or where com.apple.asl is, it appears in the aslmanager log before syslog get rotated or not? EDIT: system.conf

 

[Brian33]

Also no idea what or where com.apple.asl is, it appears in the aslmanager log before syslog get rotated or not? EDIT: system.conf

Looking at the man page for asl.conf, it says

Module configuration files are read by syslogd when it starts, and whenever it gets a
HUP signal. Messages received by syslogd are first processed according the the rules
found in /etc/asl.conf (also known as the “com.apple.asl” module), then the message
is processed by the rules from each module found in /etc/asl.

 

[dono42]

Great catch @Brian33, complety missed "etc/asl.conf (also known as the “com.apple.asl” module)" should know results tommow. Thanks!

 

[dono42]

Update, creating a system.conf file in /etc/newsyslog.d made no difference.

# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
/var/log/system.log 640 7 5120 * J

The syslogd(8) man page starts aslmanager "syslogd invokes aslmanager shortly after it starts up, at midnight local time if it is running"

As seen in the aslmanager log file, it rotates the system.log.
Sep 17 00:00:00: ----------------------------------------
Sep 17 00:00:00: Processing module com.apple.asl
Sep 17 00:00:00: Checking file /var/log/system.log
Sep 17 00:00:00: - Rename, move to destination directory, and compress as required
Sep 17 00:00:00: src files
Sep 17 00:00:00: system.log.T1663387200
Sep 17 00:00:00: dst files
Sep 17 00:00:00: system.log.6.gz
Sep 17 00:00:00: system.log.5.gz
Sep 17 00:00:00: system.log.4.gz
Sep 17 00:00:00: system.log.3.gz
Sep 17 00:00:00: system.log.2.gz
Sep 17 00:00:00: system.log.1.gz
Sep 17 00:00:00: system.log.0.gz
Sep 17 00:00:00: rename /var/log/system.log.6.gz ---> /var/log/system.log.7.gz
Sep 17 00:00:00: rename /var/log/system.log.5.gz ---> /var/log/system.log.6.gz
Sep 17 00:00:00: rename /var/log/system.log.4.gz ---> /var/log/system.log.5.gz
Sep 17 00:00:00: rename /var/log/system.log.3.gz ---> /var/log/system.log.4.gz
Sep 17 00:00:00: rename /var/log/system.log.2.gz ---> /var/log/system.log.3.gz
Sep 17 00:00:00: rename /var/log/system.log.1.gz ---> /var/log/system.log.2.gz
Sep 17 00:00:00: rename /var/log/system.log.0.gz ---> /var/log/system.log.1.gz
Sep 17 00:00:00: copy compress /var/log/system.log.T1663387200 ---> /var/log/system.log.0.gz
Sep 17 00:00:00: remove /var/log/system.log.T1663387200
Sep 17 00:00:00: - Check for expired files - TTL = 7 days
Sep 17 00:00:00: dst files
Sep 17 00:00:00: system.log.7.gz (age 7 days)
Sep 17 00:00:00: system.log.6.gz (age 5 days 23:59:59)
Sep 17 00:00:00: system.log.5.gz (age 4 days 23:59:58)
Sep 17 00:00:00: system.log.4.gz (age 3 days 23:59:58)
Sep 17 00:00:00: system.log.3.gz (age 3 days)
Sep 17 00:00:00: system.log.2.gz (age 2 days)
Sep 17 00:00:00: system.log.1.gz (age 1 day)
Sep 17 00:00:00: system.log.0.gz (age 0)
Sep 17 00:00:00: - Check total storage used - MAX = 52428800
Sep 17 00:00:00: dst files
Sep 17 00:00:00: system.log.7.gz size 1212
Sep 17 00:00:00: system.log.6.gz size 1521
Sep 17 00:00:00: system.log.5.gz size 1132
Sep 17 00:00:00: system.log.4.gz size 1217
Sep 17 00:00:00: system.log.3.gz size 42460
Sep 17 00:00:00: system.log.2.gz size 7716
Sep 17 00:00:00: system.log.1.gz size 4787
Sep 17 00:00:00: system.log.0.gz size 4281

Then :30 Minutes later it runs again. This type output is also seen when a system is booted (syslogd started) and this what I expect should be happening at midnight, rotate if file size is exceeded.

----------------------------------------
Sep 17 00:30:04: Processing module com.apple.asl
Sep 17 00:30:04: Checking file /var/log/system.log
Sep 17 00:30:04: - Rename, move to destination directory, and compress as required
Sep 17 00:30:04: ignore src file system.log since it is internal and syslogd will checkpoint it when it needs to be renamed
Sep 17 00:30:04: no src files
Sep 17 00:30:04: - Check for expired files - TTL = 7 days
Sep 17 00:30:04: dst files
Sep 17 00:30:04: system.log.7.gz (age 7 days 00:30:04 - expired)
Sep 17 00:30:04: system.log.6.gz (age 6 days 00:30:03)
Sep 17 00:30:04: system.log.5.gz (age 5 days 00:30:02)
Sep 17 00:30:04: system.log.4.gz (age 4 days 00:30:02)
Sep 17 00:30:04: system.log.3.gz (age 3 days 00:30:04)
Sep 17 00:30:04: system.log.2.gz (age 2 days 00:30:04)
Sep 17 00:30:04: system.log.1.gz (age 1 day 00:30:04)
Sep 17 00:30:04: system.log.0.gz (age 00:30:04)
Sep 17 00:30:04: remove /var/log/system.log.7.gz
Sep 17 00:30:04: - Check total storage used - MAX = 52428800
Sep 17 00:30:04: dst files
Sep 17 00:30:04: system.log.6.gz size 1521
Sep 17 00:30:04: system.log.5.gz size 1132
Sep 17 00:30:04: system.log.4.gz size 1217
Sep 17 00:30:04: system.log.3.gz size 42460
Sep 17 00:30:04: system.log.2.gz size 7716
Sep 17 00:30:04: system.log.1.gz size 4787
Sep 17 00:30:04: system.log.0.gz size 4281

So it appears if syslogd is running at midnight it rotates system.log?