1
1
When I log messages to syslog in OS X (10.10.1), it truncates the timestamp to the second. If I log to a file, for example, I am able to capture milliseconds. Milliseconds matter when logs are coming fast and furiously. Any idea if there’s a way to set millisecond precision in the OS X implementation of syslogd?
Justin Makeig
Posted 2015-01-30T00:21:15.587
Reputation: 161
0
OS X's syslogd stores log events in the "Apple System Log" (asl) database/store with microsecond precision by default, with provisions for nanosecond precision.
However, when that data gets copied out into traditional flat log files like /var/log/system.log, the traditional to-the-second timestamp format are used, because that's what those flat log files have always used.
You can use the syslog command-line tool to query the asl database, and you can specify the format of the output with various command-line options including -F. For example, to dump everything from the asl database in standard log file format, but with microsecond precision, do this:
syslog -F std.6
Note that if you have a process logging so many messages to syslog so fast that sub-second timestamps matter, you might want to also look at the asl.conf(5) man page to make sure your mps_limit and dup_delay parameters are set in such a way that all your log messages actually get stored in the database, as opposed to being throttled or thrown out.
Spiff
Posted 2015-01-30T00:21:15.587
Reputation: 84 656
Thanks for the thorough response. I'm building a syslog server that listens for syslog messages over UDP. It doesn't sound like there's a way to change the timestamp precision of the messages flowing through syslogd on an OS X client (i.e. upstream pushing messages to my server). asl looks like it has more config options, but I don't really understand the relationship between syslog and asl and I don't see anything about time precision in asl either. – Justin Makeig – 2015-01-30T21:44:16.937
@JustinMakeig The traditional syslog network protocol (by which hosts can send syslog messages via UDP to a central syslog server), which was created decades ago in one of the earliest BSD Unixes, has a timestamp field that only has to-the-second precision. This protocol was eventually documented in Informational RFC 3164. This is the syslog protocol OS X supports. There was an effort in the IETF in 2009 to create a modernized version of the syslog protocol (including more timestamp precision) and standardize it (RFC 5424), but I don't believe OS X's syslog supports the modern version. – Spiff – 2015-01-30T22:19:05.987
Yes, and RFC 3164 specifies "Mmm dd hh:mm:ss". Looks like I'm out of luck. Thanks so much for your help. – Justin Makeig – 2015-01-30T22:30:48.563
Did you read the
syslog(1)man page? It gives examples of how to do this. – Spiff – 2015-01-30T09:17:35.927Yes, and
syslogd. I don't see anything there on precision of timestamps. Is there a specific section you could point me to? Thanks. – Justin Makeig – 2015-01-30T17:37:31.553Sorry, I was on mobile last night and just wanted to quickly set you down the right path. Fuller answer below. – Spiff – 2015-01-30T20:27:50.443