Home > Mac administration, macOS, Unix > Fixing Homebrew’s rsyslog on macOS Catalina

Fixing Homebrew’s rsyslog on macOS Catalina

As part of some recent testing, I needed to install rsyslog and the instructions I had referenced using Homebrew to do it. I used the following procedure to do it:

1. Set up a new VM running macOS 10.15.3 in VMware Fusion.

2. Inside the VM, open Terminal and install Homebrew by running the following command:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

3. Once Homebrew was installed, install rsyslog by running the following command:

brew install rsyslog

4. Copy a pre-configured rsyslog.conf file to /usr/local/etc/rsyslog.conf.

5. Set the following permissions on /usr/local/etc/rsyslog.conf:

File permissions

Owner: root - read, write
Group: wheel - read
Everyone: read

6. Start rsyslog by running the following command with root privileges:

brew services start rsyslog

When I checked on rsyslog though, it wasn’t running or accepting logs from remote Macs like it should be. What had happened?


Update – 3-5-2020: The problem described by this post has now been fixed:


 

For more details, please see below the jump.

When I checked the system log, I saw a number of entries which looked like this:

Feb 26 09:09:30 computername com.apple.xpc.launchd[1] (homebrew.mxcl.rsyslog[1525]): Service exited with abnormal code: 1
Feb 26 09:09:30 computername com.apple.xpc.launchd[1] (homebrew.mxcl.rsyslog): Service only ran for 5 seconds. Pushing respawn out by 5 seconds.
Feb 26 09:09:40 computername com.apple.xpc.launchd[1] (homebrew.mxcl.rsyslog[1528]): Service exited with abnormal code: 1
Feb 26 09:09:40 computername com.apple.xpc.launchd[1] (homebrew.mxcl.rsyslog): Service only ran for 5 seconds. Pushing respawn out by 5 seconds.

view raw
gistfile1.txt
hosted with ❤ by GitHub

Screen Shot 2020 02 26 at 9 19 30 AM

The rsyslogd process was starting and crashing almost immediately. To stop rsyslog from attempting to launch again, I ran the following commands with root privileges:

brew services stop rsyslog

After that, I started investigating to figure out what had gone wrong.. Since the problem happened almost immediately after launch, I suspected a problem with how rsyslog was being launched. The LaunchD item which starts rsyslog is /usr/local/Cellar/rsyslog/8.2001.0/homebrew.mxcl.rsyslog.plist and it looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.rsyslog</string>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/rsyslog/sbin/rsyslogd</string>
<string>-n</string>
<string>-f</string>
<string>/usr/local/etc/rsyslog.conf</string>
<string>-i</string>
<string>/usr/local/var/run/rsyslogd.pid</string>
</array>
<key>StandardErrorPath</key>
<string>/usr/local/var/log/rsyslogd.log</string>
<key>StandardOutPath</key>
<string>/usr/local/var/log/rsyslogd.log</string>
</dict>
</plist>

view raw
gistfile1.txt
hosted with ❤ by GitHub

From there, I was able to see the command that was being used to start rsyslog:

/usr/local/opt/rsyslog/sbin/rsyslogd -n -f /usr/local/etc/rsyslog.conf -i /usr/local/var/run/rsyslogd.pid

Next, I tried to run this command manually with root privileges:

/usr/local/opt/rsyslog/sbin/rsyslogd -n -f /usr/local/etc/rsyslog.conf -i /usr/local/var/run/rsyslogd.pid

When I did so, I got the following output:

username@computername ~ % sudo /usr/local/opt/rsyslog/sbin/rsyslogd -n -f /usr/local/etc/rsyslog.conf -i /usr/local/var/run/rsyslogd.pid
Password:
rsyslogd: error writing pid file (creation stage)
: No such file or directory
rsyslogd: run failed with error -3000 (see rsyslog.h or try https://www.rsyslog.com/e/3000 to learn what that number means)
username@computername ~ %

view raw
gistfile1.txt
hosted with ❤ by GitHub

Screen Shot 2020 02 26 at 9 17 05 AM

When I checked on /usr/local/var/run, I discovered that the /usr/local/var/run directory didn’t exist. Since it didn’t exist, rsyslogd couldn’t write the following file to it:

/usr/local/var/run/rsyslogd.pid

To fix this, I ran the following command to create the directory:

mkdir -p /usr/local/var/run

Once the /usr/local/var/run directory existed, I ran the following command with root privileges:

brew services start rsyslog

This time, rsyslog started without a problem and I was able to continue with my testing.

Categories: Mac administration, macOS, Unix
  1. August 28, 2020 at 11:06 pm

    Thanks for this context. Knowing where to look for the plist file really helps.

    Note that same .plist file also lists where rsyslogd is logging its stdout and stderr. So user can just look there rather than to run it themselves.

    For others, I had similar symptom, but with a different cause. My homebrew is installed in a different place so rsyslog was looking for the rsyslog.conf relative to that ($HOMEBREW_PREFIX/etc/rsyslog.conf).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: