Jump to content
Just how does aslmanager work exactly?
Asked by ridogi
Posted Nov 05 2009 08:30 PM
I've picked up a bunch of O'Reilly books on shell scripting recently and they have really brought my shell scripting to a whole new level. I have run into a wall writing one of my scripts and hopefully someone here can help. I've posted this to a few other places (Apple Discussions and ServerFault) to a resounding chorus of crickets.
I am trying to use syslog to read old log files but I can only read the current day and the 2 previous days.
I am accessing the logs with syslog | grep backupd and the entries only go back 2 days. If I use syslog | grep kernel for example the entries do go back much further than 2 days. I realize that the backupd entries are notice level so they are being discarded (or archived?) once the TTL is up, while the kernel entries are being archived. I would like to find a way to either read all entries for 7 days instead of 2, or even better to specify that all entries from a specific process or notification level are kept for 7 days. I have also tried syslog -d "store" | grep backupd which gives the same result.
I have tried to change the time-to-live value for storage of logs in /var/log/asl/ with the command aslmanager -ttl 7 which I assumed would change the TTL to 7 days for all entries, but /var/log/asl/ continues to only contain entries for the current day plus the 2 previous days. This is what is in my /var/log/asl/ directory:
I also have a file at /var/log/asl.db
I have also tried to approach this problem by using syslog to read directly from the archive file, but I don't have an archive file on my system. The man page for aslmanager claims the archive directory is /var/log/asl.archive but that does not exist on my machine (10.5.8 PPC). The command syslog -d "archive" | grep backupd confirms this with the error: /var/log/asl.archive: No such file or directory, although syslog | grep kernel seems to be reading the archive without me even specifying it. I can even use syslog | grep kernel | head -n 1 and I get an entry from Jan 2 of this year.
Any insight on how to accomplish this with either syslog, aslmanager or something else would be helpful. Info on what the LongTTL.U0.asl, LongTTL.asl, and StoreData files are would also be welcome.
I realize that bzgrep will do this, but I would like to use syslog as I am pulling the epoch time from the logs.
Comment by bjepson : Nov 11 2009 07:12 PM
@ridogi, have you tried adding the -ttl 7 argument to the ProgramArguments in /System/Library/LaunchDaemons/com.apple.aslmanager.plist then doing:
sudo launchctl unload /System/Library/LaunchDaemons/com.apple.aslmanager.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.aslmanager.plist
That may be necessary to make sure that the change applies to the aslmanager started by launchd and remains persistent.
Comment by ridogi : Nov 13 2009 11:22 AM
Thanks for the suggestion. I've just tried running the command again without any effect to that file. I also tried the command after unloading the file with launchctl—still without effect. My com.apple.aslmanager.plist file doesn't even have an entry for ttl at the default, only the size of the database. I've attached a screenshot of the file.
I've edited the file manually like this and I'll see how it goes in 2 days once the default ttl is up.
Comment by bjepson : Nov 13 2009 11:27 AM
I didn't have any arguments in my /System/Library/LaunchDaemons/com.apple.aslmanager.plist, just the program name itself (but I'm not on server). I added the ttl to mine and did launchctl unload/load a few days ago. I do see I've got an older entry from backupd (but only one, which is the same one I had when I checked earlier) dated Tue Nov 10.
Comment by ridogi : Nov 13 2009 11:44 AM
I'm on client OS also. The image I attached to my last post was my unmodified plist file. Strange that you can see only one entry for the 10th. It would make sense if you saw none or a bunch assuming your computer was on for at least a few hours on that day.
I'm curious which backupd entry you can see for the 10th, and wonder if it is something with a higher priority than most backupd entries, which are <Notice> level. Perhaps <Debug>, <Error>, or <Warning> level priority, maybe due to shutting a laptop during a time capsule backup for example.
Also, fyi the way the TTL works is how many days past the current day as it rolls over at midnight, so the default 2 day TTL works out to all of the current day plus the previous 2 calendar days.
I suspect that if I modified the file correctly extra days will just be retained in the /var/log/asl/ directory.
Comment by bjepson : Nov 13 2009 11:59 AM
You know that is kind of weird that I only see one entry now that you mention it. And it's not from backupd, but from pkgutil (probably the 10.6.2 update).
Oh, wait. I'm on a Mac that doesn't have Time Machine enabled. I bet that's it. That will change shortly, when my external Firewire enclosure arrives this afternoon.
Comment by ridogi : Nov 13 2009 12:55 PM
Okay thanks for the help. I'll report back in a few days with my findings.
Also, I'm on 10.5.8 still as I have a G5, but I haven't found anything to indicate that aslmanager works differently in 10.6.
Comment by ridogi : Nov 17 2009 08:26 AM
Very strange: editing the com.apple.aslmanager.plist as I mentioned above did successfully cause asl to retain the logs, but today I am back to the default two days of ttl. The com.apple.aslmanager.plist still has my edits in it, and my suspicion is that it somehow reverted to the default behavior because I rebooted the computer last night.
Comment by bjepson : Nov 17 2009 08:43 AM
That is strange. I wasn't able to verify my multi-day test because the Mac I was testing it on died on me and is in the shop.
Comment by ridogi : Nov 17 2009 09:23 AM
I'll wait until the logs accumulate again and test my reboot theory.
Comment by ridogi : Nov 21 2009 08:39 PM
Well, I have confirmed that rebooting the machine is what causes the logs to be discarded to observe the default 2 day setting regardless of what is in my com.apple.aslmanager.plist file. I'm still tinkering with it to find out why and how to make it stop doing that...
I hope your computer was safely repaired without any loss of data.
Answered by ridogi
Posted Nov 30 2009 12:53 PM
I figured out why aslmanager is clearing my logs early: I backed up the default aslmanager.plist in the LaunchDaemons directory, and while I thought I disabled that original file, I did not. So effectively I had two files active, one with a 2 day ttl and one with a 7 day ttl and at reboot both files were run.
Although using aslmanager on command line has no effect, editing /System/Library/LaunchDaemons/com.apple.aslmanager.plist with the -ttl line and the variable below it is the solution:
I also got some help here:
Thanks again bjepson.
Comment by bjepson : Nov 30 2009 01:20 PM
ridogi, glad I could help out, and thanks for sharing the answer. Congratulations on tracking that problem down; those sorts of things are so hard to debug.