web analytics

Preserving Apple Console Secure.log Events File for Usage Analysis – Preventing Turned Over Purged Erased Data

Technology > Apple

Summary. Apple Mac computers keep a log of significant events and errors.

Log files can be viewed in the Console program (found under Applications > Utilities).

The secure.log file (one of many log files), contains some useful information. For this reason, there are seven archives (backups) of that file.

The older secure.log files are archived whenever they reach 1000 bytes in size. The archived files are named secure.log.0.bz2, secure.log.1.bz2, secure.log.2.bz2 and so on up to secure.log.5.bz2.

The default setting is to keep six of these archived log files, and delete the oldest one each time a current log file is archived.

This can be a problem if you are trying to examine your computer’s event history over an extended period of time.

To change the default settings, one must follow these steps:

  1. Download and run the TextWrangler editor (or similar editor program).
  2. From the File menu, select Open.
    1. From the Open dialog box, the Enable setting is set as All TextWrangler Documents. Change this to Everything.
  3. Navigate to the etc directory. A shortcut is available, or you can get there via the private > etc folder path.
  4. Open the newsyslog.conf file.
  5. At the bottom of the file are entries indicating the size of log files and when they are archived (with the oldest being deleted).
  6. The default setting for the secure.log file is the following:
    /var/log/secure.log 640  5   1000 *     J
  7. There are some necessary spaces and tabs above. The first part of the configuration string indicates the file and its location. The second element determines the owner or group for the file. The 5 means that there will be a total of 6 archives for the file (counting up from 0 to 5). The 1000 means the file will reach 1000 kb and then be archived. The asterisk indicates that the file won’t be archived at any particular time, but only when the size limit is met. The J indicates the kind of log file.
  8. So, to change this setting to something more desirable, replace the default setting with the following:
    /var/log/secure.log 640  10   2000 *     J
  9. This indicates that the log file will be rotated (copied, archived, and started fresh) whenever it reaches 2MB in size. The 10 indicates that there will be up to 11 archives. So, you’ll end up with about 22MB in log file data, and hopefully that will cover a time span that allows you to analyze your system’s performance and usage.

By Greg Johnson

Greg Johnson is a freelance writer and tech consultant in Iowa City. He is also the founder and Director of the ResourcesForLife.com website. Learn more at AboutGregJohnson.com