ASL Syslog Rotation

I have been having a fun time moving all my home services from a noisy self build linux host to a sleek quiet Mac Mini. In the transition I have been learning a lot about the differences managing MacOS X Server vs Ubuntu Server.

My latest foray made me think it might be worth blogging it. 
I have fail2ban installed to protect various services from the denizens of the internet, and I have been noticing that just after midnight it would regularly complain that the syslog file it was monitoring was missing. It would try a couple more times then fail and mark the jail idle leaving services unprotected.

Much reading round the subject and it would seem that syslog writing and rotation is managed by ASL on MacOS X. This dutifully rotates the syslog at midnight just like logrotate would, but with one important difference. It doesn’t bother to create an empty file. That happens the next time a log message arrives. Fail2ban does not appreciate the missing file when running on MacOs as it is using a poller backend rather than being notified of filesystem changes.

Now I don’t want to have to manually reload the fail2ban Jails daily, so I did a little hack. At midnight why not log something to make sure the file is created. Enter launchctl and one small config plist later I have a service that triggers at midnight raising a syslog which causes a message to be written to the system log.

I’ll report back when this has been running for a while

Update: Seems like updating at midnight isn’t quick enough as launchd starts me shortly after midnight and fail2ban has already noticed the log gone. Next try running a fail2ban-client command to mark the jail as not this at 0001