As part of some recent testing, I needed to install rsyslog and the instructions I had referenced using Homebrew to do it. I used the following procedure to do it:
1. Set up a new VM running macOS 10.15.3 in VMware Fusion.
2. Inside the VM, open Terminal and install Homebrew by running the following command:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
3. Once Homebrew was installed, install rsyslog by running the following command:
brew install rsyslog
4. Copy a pre-configured rsyslog.conf file to /usr/local/etc/rsyslog.conf.
5. Set the following permissions on /usr/local/etc/rsyslog.conf:
File permissions
Owner: root - read, write Group: wheel - read Everyone: read
6. Start rsyslog by running the following command with root privileges:
brew services start rsyslog
When I checked on rsyslog though, it wasn’t running or accepting logs from remote Macs like it should be. What had happened?
For more details, please see below the jump.
When I checked the system log, I saw a number of entries which looked like this:
The rsyslogd process was starting and crashing almost immediately. To stop rsyslog from attempting to launch again, I ran the following commands with root privileges:
brew services stop rsyslog
After that, I started investigating to figure out what had gone wrong.. Since the problem happened almost immediately after launch, I suspected a problem with how rsyslog was being launched. The LaunchD item which starts rsyslog is /usr/local/Cellar/rsyslog/8.2001.0/homebrew.mxcl.rsyslog.plist and it looks like this:
From there, I was able to see the command that was being used to start rsyslog:
/usr/local/opt/rsyslog/sbin/rsyslogd -n -f /usr/local/etc/rsyslog.conf -i /usr/local/var/run/rsyslogd.pid
Next, I tried to run this command manually with root privileges:
/usr/local/opt/rsyslog/sbin/rsyslogd -n -f /usr/local/etc/rsyslog.conf -i /usr/local/var/run/rsyslogd.pid
When I did so, I got the following output:
When I checked on /usr/local/var/run, I discovered that the /usr/local/var/run directory didn’t exist. Since it didn’t exist, rsyslogd couldn’t write the following file to it:
/usr/local/var/run/rsyslogd.pid
To fix this, I ran the following command to create the directory:
mkdir -p /usr/local/var/run
Once the /usr/local/var/run directory existed, I ran the following command with root privileges:
brew services start rsyslog
This time, rsyslog started without a problem and I was able to continue with my testing.