Filtering events with OSX ASL

Question

In a nutshell, I want all of my firewall logs to go to their own file.

I started by replacing:

? [= Sender kernel] file /var/log/system.log mode=0600 gid=80 format=bsd

with:

? [= Sender kernel] [< Level 7] file /var/log/system.log mode=0600 gid=80 format=bsd
? [= Sender kernel] [= Level 7] file /var/log/ipfw.log

But more than just ipfw is logged with facility 7, so I tried:

? [= Sender kernel] [S= Message ipfw] file /var/log/ipfw.log

That worked, but the messages are still sent to system.log as well. And adding:

? [= Sender kernel] [S= Message ip6fw] file /var/log/ipfw.log

didn't work at all.

How can I get all logs from ipfw / ip6fw, and nothing else, sent to ipfw.log, and everything else remain in system.log?

score 0 · Answer 1 · answered Sep 19 '13 at 18:49

This is for Mountain Lion only.

In /etc/asl.conf, above:

? [= Sender kernel] file /var/log/system.log mode=0600 gid=80 format=bsd

Prepend:

? [= Sender kernel] [A= Message ip] file /var/log/ipfw.log
? [= Sender kernel] [A= Message ip] ignore

NOTE: you could specify Message values of 'ipfw' and 'ip6fw' to get them broken out separately if you like.

HUP syslogd and that's that!

1 Answers1