im_maculs does not get logs seen with "log stream"
Hi,
we've configured im_maculs and have noticed, that it does not handle expected ULS logs (which are seen with log stream command).
We then configured im_exec module, to run log stream and have compared configurations head-to-head, the input with im_exec receives expected logs, while im_maculs does not.
Here is configuration:
<Input m_uls>
Module im_maculs
<Exec>
# Filter
if ($subsystem == 'com.apple.launchservices' and $category == 'open')
{
$Hostname = hostname();
} else
{
drop();
}
to_json();
</Exec>
</Input>
<Input m_logstream>
Module im_exec
Command /usr/bin/log
Arg stream
Arg --style=ndjson
Arg --type=log
<Exec>
if $raw_event =~ /^{/
{
# Filter
if ($subsystem == 'com.apple.launchservices' and $category == 'open')
{
$Hostname = hostname();
} else
{
drop();
}
to_json();
} else
{
# Fix ERROR [im_exec|m_logstream] failed to parse json string, lexical error: invalid char in json text.; Filtering the log data using "t; (right here) ------^; [Filtering the log data using "type == 1024"]
# Since first log stream output line is not a json log entry, but informational message
drop();
}
</Exec>
</Input>
The m_logstream Input produces log message every time a graphical application is openned in macOS, while the m_uls - does not.
Hi,
this looks like a couple issues we are working on fixing in an upcoming release. I recommend to open a ticket with support so you get early access to a development build of the fix and a notification when the release is out.
If you don't have support, keep an eye on the announcements on the website.
Gabor
