darwin-oslog() source options
The `darwin-oslog()` source is based on the native OSLog Framework to read logs from the local store of the unified logging system on Darwin OSes. The syslog-ng OSE `system()` source automatically uses this new source on Darwin platforms if the `darwinosl` plugin is available. This plugin is available only on macOS 10.15 Catalina and later versions. The 10.15 version is the first to support the OSLog API.
NOTE: The persistent OSLog store keeps about 7 days of logs on the disk.
The darwin-oslog() source has the following options.
filter-predicate()
| Type: | string |
| Default: | (eventType == 'logEvent' || eventType == 'lossEvent' || eventType == 'stateEvent' || eventType == 'userActionEvent') && (logType != 'debug') |
Description: String for native macOS log message filtering using predicates. For example, the following predicate selects AirDrop logs: subsystem=="com.apple.sharing" and category=="AirDrop"
do-not-use-bookmark()
| Type: | boolean |
| Default: | no |
Description: By default, syslog-ng OSE continues to read the logs from the last remembered position after a restart. If this option is set to yes, it always starts reading from the end or beginning of the available log list (depending on the setting of the go-reverse() and the read-old-records() options.
go-reverse()
| Type: | boolean |
| Default: | no |
Description: If set to yes, the logs are processed in reverse order (latest to oldest).
log-fetch-delay()
| Type: | integer |
| Default: | 10000 |
Description: Sets the time syslog-ng OSE waits between reading and sending log messages. The unit of this parameter is a fraction of a second, where wait_time = 1 second / <defined value>. For example, setting it to 1 results in approximately one log being read/sent per second, while 1000000 means a delay of only 1 microsecond between read/write attempts. The maximum value of this parameter is 1000000.
NOTE: Increasing the value of this parameter (which reduces the delay time) can improve log feed performance, but it may also increase system load.
NOTE: The deprecated fetch-delay() option is an alias for the log-fetch-delay() option, retained for compatibility with earlier syslog-ng OSE versions, but it may be removed at any time without further notice!
log-fetch-retry-delay()
| Type: | integer |
| Default: | 1 |
Description: Controls how many seconds syslog-ng OSE remains idle before checking for new logs, in case no new logs were read during the previous check.
NOTE: The deprecated fetch-retry-delay() option is an alias for the log-fetch-retry-delay() option, retained for compatibility with earlier syslog-ng OSE versions, but it may be removed at any time without further notice!
log-fetch-limit()
| Type: | number |
| Default: | 100 |
Description: The maximum number of messages fetched from a source during a single poll loop. The destination queues might fill up before flow-control could stop reading if log-fetch-limit() is too high.
max-bookmark-distance()
| Type: | integer |
| Default: | 0(unlimited) [seconds] |
Description: The maximum distance in seconds that a bookmark can point backward. That is, if syslog-ng OSE is stopped for 10 minutes (600 seconds) and max-bookmark-distance() is set to 60, then syslog-ng OSE starts reading the logs from 60 seconds before the startup, missing 9 minutes (540 seconds) worth of logs.
read-old-records()
| Type: | boolean |
| Default: | no |
Description: If set to yes, syslog-ng OSE starts reading logs from the oldest available entry when the system starts, or if no bookmarks are present.