Just for the hell of it, here's how to use OS X Lion (possibly earlier versions) as a syslog server for RouterOS.
First, prep the built in syslog daemon to add a listener on the network - by default it only listens on sockets. Full article is
here.
sudo cp /System/Library/LaunchDaemons/com.apple.syslogd.plist /tmp/com.apple.syslogd.plist
sudo plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo vim /System/Library/LaunchDaemons/com.apple.syslogd.plist
Add this to the "Sockets" section:
<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>
OS X can use normal log files like any BSD, but it also comes with a built in data store for log messages. More info can be found at
here. Data stores are fast, log rotation comes built in, and they are indexed and quickly searchable. I like my network syslog files routed to a different data store. Data store routing is configured in /etc/asl.log. Filtering can be done on a number of fields, the simplest one is "Host", which will be the router name taken from "/system identity". The "Sender" field is taken from the prefix configured under "/system logging" for the topic. I store my network syslog messages in /var/log/network in data stores named by date in /var/log/network. The directory has to exist, the below creates it with read access for everyone on a directory level (everyone can list files):
sudo mkdir /var/log/network
sudo chown root:staff /var/log/network
sudo chmod 0755 /var/log/network
The below routes all messages from hosts that start with "rb" in their host name in the directory created above. The UID for the files will the root, the GID will be 20, which matches the 'staff' group that all users are by default a member of. This will let anyone search network log files, adjust the UID and GID as required if you need tighter security.
The below line is added to /etc/asl.conf to achieve this.
? [A= Host rb] store_directory /var/log/network uid=0 gid=20 mode=0644
And finally restart the syslog daemon to have all the changes take effect.
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plistp
Then configure the routers to log to the IP address of the OS X machine, below an example. Note that in 5.x the src-address must be set, this is best set to a loopback address (loopbacks are emulated by creating an empty bridge without any ports assigned to it, and configuring an IP address on that bridge interface)
/system logging action
set remote bsd-syslog=yes name=remote remote=1.1.1.1 remote-port=514 src-address=2.2.2.2 syslog-facility=local7 syslog-severity=auto target=remote
/system logging
add action=remote disabled=no prefix=rb433 topics=system,info
add action=remote disabled=no prefix=rb433 topics=warning
add action=remote disabled=no prefix=rb433 topics=critical
add action=remote disabled=no prefix=rb433 topics=error,!ospf,!route
On the OS X server you can then display all log messages via the syslog command, see the man page for syslog for details.
