Leopard, Syslog, and ASL

Published on February 01, 2008

Leopard seems to have a problem with syslog pegging the CPU at 100%. This seems to be related to `/var/log/asl.db` file getting too big and/or corrupted.

Blogs and discussion forums around keep suggesting turning off Back to My Mac, Time Machine, and other apps, but it really seems to be related to any application that gets chatty on the network, be it Widgets, Transmission, Safari, Transmit, or anything else. High network traffic (I'm not sure why) seems to cause the /var/log/asl.db file grow quite dramatically and eventually to a point where syslog just pegs the CPU at 100%.

asl.db is a log database of Apple's new system log facility (man 3 asl). According to the man page the ASL API is supposed to replace the syslog API and right now messages logged into ASL get sent onto syslog. Indeed when syslog peaks the CPU it spends all the time in asl_store_archive. I haven't done any digging in there, but it certainly points to the large file size or corrupted database.

So for now, the simple solution is to watch the size of asl.db, delete the file when the syslog starts to run at 100% cpu, and restart syslog. It will create new file and start all over again. I've also had some cases of corrupted asl.db such that Console.app wasn't able to read it (The "Log Database Queries" section of Console.app log list is read from asl.db).