Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

dono42

macrumors regular
Original poster
Dec 22, 2018
105
24
New Hampshire, USA
I have enabled syslogd plist in Mojave to log entries from my router by adding a NetworkListener dictionary to the Sockets entry. Now on Big Sur I can change a copy of the syslogd plist but cannot update /System/Library/LaunchDaemons with csrutil disabled. Is there a way to do this without me modifying the plist directly? Easy step to update the directory? Thanks
 
It’s too complicated to modify files in /System/Library/LaunchDaemons and the modifications would be reversed at the next macOS update.
You could try to make your own daemon https://launchd.info
 
Thanks @bogdanw for the suggestion. I moved the modified version of syslogd.plist to my ~Library/LaunchDaemons change owner to root:wheel and did a launchctl unload of the /System/Library/LaunchDaemons/com.apple.syslogd.plist and load of my version. Now syslogd is listening on :514 again. Now need to automate for restarts.
 
I was thinking of leaving the system one alone, and running a different instance under your user name, with a different log just for what you want.
That was the approach I took on my Mac Mini running High Sierra -- I installed 'rsyslog' with "Brew" and it's been running great for years now. I did go to the effort of creating a specific hidden account for the rsyslog daemon to run as.
 
That was the approach I took on my Mac Mini running High Sierra -- I installed 'rsyslog' with "Brew" and it's been running great for years now. I did go to the effort of creating a specific hidden account for the rsyslog daemon to run as.
Would you mind explaining, what you did, in order to create those accounts? It would be very helpful to me.

macOS has been evolving so much over the years, when it comes to what commands are and are not available on the command line. Those changes are poorly documented. It typically is left to users to find out through trial and error.
 
Would you mind explaining, what you did, in order to create those accounts? It would be very helpful to me.
(EDIT: I'm a bit embarrassed! AFTER writing all this up I found out that even though I did create a separate daemon user account in this way, I've been running rsyslog as root this whole time. :rolleyes: The reason is that when I ran it as _rsyslogd, it didn't have permissions to write to /var/log (where I wanted the log file to go) nor to /var/run (where the default pid-file is written) nor could it bind to the default port 514, and thus rsyslog would fail. So I must have given up on running it as _rsyslogd. I've successfully run other services as special daemon accounts and I guess I got them mixed up in my memory.

I'll post this write-up anyway, since it's still works as a way to create a daemon account and it has worked for two other services I've configured. Maybe the 'dscl' commands will still be helpful to someone.)


My notes are incomplete, but I think this covers everything...

Decide upon a daemon account name. I tried to make the rsyslog daemon account look like the various daemon accounts Apple creates by default; most of them seem to begin with an underscore. I decided on '_rsyslogd'.

Find a free User ID number (UID) and a free Group ID number (GID). Apple's seem to range from double-digits up to the high 200's. Normal user accounts use UIDs in the 500's. There didn't seem to be any existing usage of the 300's so I chose UID=300 for my _rsyslogd account, and GID=300. (I don't know if you need a new separate Group for _rsyslogd, but I noticed that Apple had set up its various daemons with their own corresponding Groups, so I copied that convention.)

You can see what account names and UIDs are in use with dscl . readall /Users UniqueID
You can see what group names and GID are in use with dscl . readall /Groups PrimaryGroupID

-------------------------------------
First I created the group:
Code:
sudo dscl . -create /Groups/_rsyslogd
sudo dscl . -create /Groups/_rsyslogd PrimaryGroupID 300

You can see what the group entry looks like with dscl . read /Groups/_rsyslogd Mine looks like:
Code:
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 26DCF65A-76A3-4D58-9B6F-28B39435E0D4
Password: *
PrimaryGroupID: 300
RealName: rsyslog Daemon
RecordName: _rsyslogd
RecordType: dsRecTypeStandard:Groups

I don't remember how I got the RealName in there... probably something like sudo dscl . -create /Groups/_rsyslogd RealName "rsyslog Daemon"

--------------------------------------
Now, create a standard User account with no login ability and no home directory:

Code:
sudo dscl . -create /Users/_rsyslogd UniqueID 300
sudo dscl . -create /Users/_rsyslogd PrimaryGroupID 300
sudo dscl . -create /Users/_rsyslogd UserShell /usr/bin/false

You can see what your entry looks like with dscl . -read /Users/_rsyslogd Mine looks like this:
Code:
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 9BA2AE22-ADAB-4E0C-9488-D19F5C7D3BFA
NFSHomeDirectory: /var/empty
Password: *
PrimaryGroupID: 300
RealName: _rsyslogd
RecordName: _rsyslogd
RecordType: dsRecTypeStandard:Users
UniqueID: 300
UserShell: /usr/bin/false

I think I compared that against other "standard" daemon accounts and it seemed right. Now in your /Library/LaunchDaemons/rsyslog.plist file you can put this key/value in order to run rsyslog as user _rsyslogd:
<key>UserName</key> <string>_rsyslogd</string>
 
Last edited:
  • Like
Reactions: bogdanw
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.