Splunk Hack #2 – Logging Safari Requests on the iPhone

Mark Cohen posted a while back about enabling syslog on the iPhone for the sole purpose of logging to a Splunk instance on your laptop. This hack is a follow up to that post, and extends it slightly to include logging of the pages browsed by Safari on the phone. WARNING: If you brick your phone, you can still use it as an ergonomic pot-scraper. Splunk won’t be responsible for you going off and getting your $600 $400 piece of joy stuffed, but we’ll be happy to log the event.

Let’s get dirty. Go into and set locking to ‘never’. This will keep the phone on while you hack around on it. Keeping the phone on and connected to the network will drain your battery like nobody’s business, so make sure you plug in the charging cable.

Now install AppTap. Follow the instructions, and come back here when you are all done.

Using the AppTap installer on the phone, install the Community Sources, BSD Subsystem, Term-vt100, OpenSSH, Tinyproxy, and UIctl apps, in that order. UIctl will let you stop and start sshd on the phone. Launch it now to see if sshd is running. Click on the ‘load’ button if it’s not.

Ping your phone from your computer with its IP address. You can use the terminal on the phone to grab the IP address:

# ifconfig en0
en0: flags=8863 mtu 1500
inet netmask 0xffffff00 broadcast
ether 00:1c:b3:f0:0b:a6

Ssh to the phone from your terminal. The default root password is ‘dottie’.

foobar:~ kord$ ssh root@
root@'s password:
Last login: Wed Oct 10 13:45:22 2007 from
# hostname
Kord's iPhone

Now add a syslog.conf file to /etc/:

bash-3.2# echo "*.* @" > /etc/syslog.conf
bash-3.2# cat /etc/syslog.conf
*.* @

Obviously, you’ll want to use the IP address of the machine on which you are going to install Splunk. Speaking of Splunk, at this point you should already have it installed. If you don’t, download it here, and install it now. You can reference my first hack for instructions on getting Splunk up and running quickly on your system. Smile. Splunk goooood.

Back in your ssh session to the iPhone, you’ll need to move the syslogd executable to an alternate location, kill the old instance, and start the new one with a few parameters.

# cd /usr/sbin/
# mv syslogd syslogd.mine
# launchctl stop
....wait for about 5 seconds....
# /usr/sbin/syslogd.mine -bsd_out 1 &

Syslogd should now use the new /etc/syslog.conf file that you just created when it starts up. You can check if it’s running properly:

# ps -ax |grep syslog
110 p0 S 0:02.91 /usr/sbin/syslogd.mine -bsd_out 1

Now fire up Splunk, and hit your instance of it in a browser: http://localhost:8000. Click on the ‘admin’ link in the top right, click on the ‘data inputs’ tab at the top, ‘network ports’ just below that, and then click on the ‘add input’ button to the right.

Click on the UDP radio button under ‘source’. The port listed should change to 514. Click on the ‘add’ button at the bottom. You should now be getting data coming into Splunk on UDP port 514. Grab some coffee whilst Splunk eats ALL the logfiles coming in from the iPhone.

Now let’s get Tinyproxy serving requests for Safari on the phone and logging through syslogd. Check that Tinyproxy is running on the iPhone first:

# ps -ax |grep tiny
354 ?? S 0:00.10 /usr/bin/tinyproxy
355 ?? S 0:00.00 /usr/bin/tinyproxy
1428 p1 S+ 0:00.01 grep tiny

Edit tiny’s configuration file to set his logs to go to syslogd. Keep in mind there is more to the config file than the few lines that I’m showing.

# vi /usr/local/etc/tinyproxy/tinyproxy.conf
# log only errors
#Logfile "/var/log/tinyproxy.log"
#LogLevel Info
Syslog On

Now on the iPhone, go to settings..wifi networks.. ..http proxy. Enter the host as and the port as 8080, just as you see in the screenshot below:

Lastly, kill Tinyproxy so he’ll start logging correctly. He restarts automagically, so all you need to do is kill the process ids:

# ps -ax |grep tiny
354 ?? S 0:00.11 /usr/bin/tinyproxy
355 ?? S 0:00.05 /usr/bin/tinyproxy
1651 p1 S+ 0:00.01 grep tiny
# kill -9 354 355
# ps -ax |grep tiny
1654 ?? S 0:00.01 /usr/bin/tinyproxy
1655 ?? S 0:00.00 /usr/bin/tinyproxy
1657 p1 S+ 0:00.02 grep tiny

That should be about it. You should have Splunk filling up with logs that contain web requests being requested by the Safari browser on your iPhone. Don’t forget to restore the syslog plist file, reboot, and fix it to lock after a few minutes timeout.

Posted by