From 7a8910783006421a981c594f812f353065f37528 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 17 Mar 2005 17:02:47 +0000 Subject: improving man files & install --- Makefile | 20 +- rsyslog.conf.5 | 646 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ rsyslogd.8 | 615 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ sysklogd.8 | 607 ----------------------------------------------------- syslog.conf.5 | 397 ----------------------------------- syslogd.8 | 1 - syslogd.c | 2 +- 7 files changed, 1268 insertions(+), 1020 deletions(-) create mode 100644 rsyslog.conf.5 create mode 100644 rsyslogd.8 delete mode 100644 sysklogd.8 delete mode 100644 syslog.conf.5 delete mode 100644 syslogd.8 diff --git a/Makefile b/Makefile index e6e42f3b..ac2b1247 100644 --- a/Makefile +++ b/Makefile @@ -57,8 +57,7 @@ all: syslogd test: syslog_tst ksym oops_test tsyslogd -#install: install_man install_exec -install: install_exec +install: install_man install_exec syslogd: syslogd.o pidfile.o template.o stringbuf.o srUtils.o ${CC} ${LDFLAGS} -o syslogd syslogd.o pidfile.o template.o stringbuf.o srUtils.o ${LIBS} @@ -93,16 +92,9 @@ clean: clobber: clean rm -f syslogd klogd ksym syslog_tst oops_test TAGS tsyslogd tklogd -install-replace: syslogd - ${INSTALL} -b -m 500 -s syslogd ${DESTDIR}${BINDIR}/syslogd - install_exec: syslogd - cp ${DESTDIR}${BINDIR}/syslogd ${DESTDIR}${BINDIR}/syslogd-previous - ${INSTALL} -b -m 500 -s syslogd ${DESTDIR}${BINDIR}/syslogd - -# man not yet supported ;) -#install_man: -# ${INSTALL} -o ${MAN_OWNER} -g ${MAN_OWNER} -m 644 sysklogd.8 ${MANDIR}/man8/sysklogd.8 -# ${INSTALL} -o ${MAN_OWNER} -g ${MAN_OWNER} -m 644 syslogd.8 ${MANDIR}/man8/syslogd.8 -# ${INSTALL} -o ${MAN_OWNER} -g ${MAN_OWNER} -m 644 syslog.conf.5 ${MANDIR}/man5/syslog.conf.5 -# ${INSTALL} -o ${MAN_OWNER} -g ${MAN_OWNER} -m 644 klogd.8 ${MANDIR}/man8/klogd.8 + ${INSTALL} -b -m 500 -s syslogd ${DESTDIR}${BINDIR}/rsyslogd + +install_man: + ${INSTALL} -o ${MAN_OWNER} -g ${MAN_OWNER} -m 644 rsyslogd.8 ${MANDIR}/man8/rsyslogd.8 + ${INSTALL} -o ${MAN_OWNER} -g ${MAN_OWNER} -m 644 rsyslog.conf.5 ${MANDIR}/man5/rsyslog.conf.5 diff --git a/rsyslog.conf.5 b/rsyslog.conf.5 new file mode 100644 index 00000000..6c91607c --- /dev/null +++ b/rsyslog.conf.5 @@ -0,0 +1,646 @@ +.\" rsyslog.conf - rsyslogd(8) configuration file +.\" Copyright 2003-2004 Rainer Gerhards and Adiscon GmbH. +.\" +.\" This file is part of the rsyslog package, an enhanced system log daemon. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. +.\" +.TH RSYSLOG.CONF 5 "2005-03-17" "Version 0.8" "Linux System Administration" +.SH NAME +rsyslog.conf \- rsyslogd(8) configuration file +.SH DESCRIPTION +The +.I rsyslog.conf +file is the main configuration file for the +.BR rsyslogd (8) +which logs system messages on *nix systems. This file specifies rules +for logging. For special features see the +.BR rsyslogd (8) +manpage. + +While rsyslogd contains enhancements over standard syslogd, efforts +have been made to keep the configuration file as compatible as +possible. While, for obvious reasons, enhanced features require +a different config file syntax, rsyslogd should be able to work with +a standard syslog.conf file. This is especially useful while you +are migrating from syslogd to rsyslogd. + +Every rule consists of two fields, a +.I selector +field and an +.I action +field. These two fields are separated by one or more spaces or +tabs. The selector field specifies a pattern of facilities and +priorities belonging to the specified action. + +Lines starting with a hash mark (``#'') and empty lines are ignored. + +.SH TEMPLATES +Templates are a key feature of rsyslog. They allow to specify any +format a user might want. Every output in rsyslog uses templates - this +holds true for files, user messages and so on. The database writer +expects its template to be a proper SQL statement - so this is highly +customizable too. You might ask how does all of this work when no templates +at all are specified. Good question ;) The answer is simple, though. Templates +compatible with the stock syslogd formats are hardcoded into rsyslog. So if +no template is specified, we use one of these hardcoded templates. Search for +"template_" in syslogd.c and you will find the hardcoded ones. + +A template consists of a template directive, a name, the actual template text +and optional options. A sample is: + +$template MyTemplateName,"\\7Text %property% some more text\\n", + +The "$template" is the template directive. It tells rsyslog that this +line contains a template. "MyTemplateName" is the template name. +All other config lines refer to this name. + +The text within quotes is the actual template text. The backslash is +an escape character, much as it is in C. It does all these "cool" things. For +example, \\7 rings the bell (this is an ASCII value), \\n is a new line. +C programmers and perl coders have the advantage of knowing this, but the +set in rsyslog is a bit restricted currently. + +All text in the template +is used literally, except for things within percent signs. These are +properties and allow you access to the contents of the syslog message. +Properties are accessed via the property replacer (nice name, huh) and +it can do cool things, too. For example, it can pick a substring or +do date-specific formatting. More on this is below, on some lines of the +property replacer. + +The part is optional. It carries options influenceing the +template as whole. See details below. Be sure NOT to mistake template +options with property options - the later ones are processed by the +property replacer and apply to a SINGLE property, only (and not the +whole template). + +Template options are case-insensitive. Currently defined are: +.nf +sql - format the string suitable for a SQL statement. This will replace + single quotes ("'") by two single quotes ("''") inside each + field. This option MUST be specified when a template is used for + writing to a database, otherwise SQL injection might occur. +.fi + +Please note that the database writer *checks* that the sql option is +present in the template. If it is not present, the write database action +is disabled. This is to guard you against accidential forgetting it and +then becoming vulnerable to SQL injection. +The sql option can also be useful with files - especially if you want +to import them into a database on another machine for performance reasons. +However, do NOT +use it if you do not have a real need for it - among others, it takes +some toll on the processing time. Not much, but on a really busy system +you might notice it ;) + +.nf +To escape: +% = \\% +\\ = \\\\ --> '\\' is used to escape (as in C) +$template TraditionalFormat,%timegenerated% %HOSTNAME% %syslogtag%%msg%\\n" +.fi + +Properties can be accessed by the property replacer. They are accessed +inside the template by putting them between percent signs. Properties +can be modifed by the property replacer. The full syntax is as follows: + +%propname:fromChar:toChar:options% + +propname is the name of the property to access. This IS case-sensitive! +Currently supported are: + +.nf +msg the MSG part of the message (aka "the message" ;)) +rawmsg the message excactly as it was received from the + socket. Should be useful for debugging. +UxTradMsg will disappear soon - do NOT use! +HOSTNAME hostname from the message +source alias for HOSTNAME +syslogtag TAG from the message +PRI PRI part of the message - undecoded (single value) +IUT the monitorware InfoUnitType - used when talking + to a MonitorWare backend (also for phpLogCon) +syslogfacility the facility from the message - in numerical form +syslogpriority the priority (actully severity!) from the + message - in numerical form +timegenerated timestamp when the message was RECEIVED. Always in + high resolution +timereported timestamp from the message. Resolution depends on + what was provided in the message (in most cases, + only seconds) +TIMESTAMP alias for timereported +.fi + +FromChar and toChar are used to build substrings. They specify the +offset within the string that should be copied. Offset counting +starts at 1, so if you need to obtain the first 2 characters of the +message text, you can use this syntax: "%msg:1:2%". +If you do not whish to specify from and to, but you want to +specify options, you still need to include the colons. For example, +if you would like to convert the full message text to lower case, +use "%msg:::lowercase%". + +.nf +property options are case-insensitive, currently defined are: +uppercase convert property to lowercase only +lowercase convert property text to uppercase only +drop-last-lf The last LF in the message (if any), is dropped. + Especially useful for PIX. +date-mysql format as mysql date +date-rfc3164 format as RFC 3164 date +date-rfc3339 format as RFC 3339 date +escape-cc NOT yet implemented +.fi + +.SH SELECTORS +The selector field itself again consists of two parts, a +.I facility +and a +.IR priority , +separated by a period (``.''). +Both parts are case insensitive and can also be specified as decimal +numbers, but don't do that, you have been warned. Both facilities and +priorities are described in +.BR rsyslog (3). +The names mentioned below correspond to the similar +.BR LOG_ -values +in +.IR /usr/include/rsyslog.h . + +The +.I facility +is one of the following keywords: +.BR auth ", " authpriv ", " cron ", " daemon ", " kern ", " lpr ", " +.BR mail ", " mark ", " news ", " security " (same as " auth "), " +.BR rsyslog ", " user ", " uucp " and " local0 " through " local7 . +The keyword +.B security +should not be used anymore and +.B mark +is only for internal use and therefore should not be used in +applications. Anyway, you may want to specify and redirect these +messages here. The +.I facility +specifies the subsystem that produced the message, i.e. all mail +programs log with the mail facility +.BR "" ( LOG_MAIL ) +if they log using rsyslog. + +Please note that the upcoming next syslog-RFC specifies many more +facilities. Support for them will be added in a future version of +rsyslog, which might require changes to existing configuration files. + +The +.I priority +is one of the following keywords, in ascending order: +.BR debug ", " info ", " notice ", " warning ", " warn " (same as " +.BR warning "), " err ", " error " (same as " err "), " crit ", " +.BR alert ", " emerg ", " panic " (same as " emerg ). +The keywords +.BR error ", " warn " and " panic +are deprecated and should not be used anymore. The +.I priority +defines the severity of the message + +The behavior of the original BSD syslogd is that all messages of the +specified priority and higher are logged according to the given +action. This +.BR rsyslogd (8) +behaves the same, but has some extensions. + +In addition to the above mentioned names the +.BR rsyslogd (8) +understands the following extensions: An asterisk (``*'') stands for +all facilities or all priorities, depending on where it is used +(before or after the period). The keyword +.B none +stands for no priority of the given facility. + +You can specify multiple facilities with the same priority pattern in +one statement using the comma (``,'') operator. You may specify as +much facilities as you want. Remember that only the facility part from +such a statement is taken, a priority part would be skipped. + +Multiple selectors may be specified for a single +.I action +using the semicolon (``;'') separator. Remember that each selector in +the +.I selector +field is capable to overwrite the preceding ones. Using this +behavior you can exclude some priorities from the pattern. + +.BR Rsyslogd (8) +has a syntax extension to the original BSD source, that makes its use +more intuitively. You may precede every priority with an equation sign +(``='') to specify only this single priority and not any of the +above. You may also (both is valid, too) precede the priority with an +exclamation mark (``!'') to ignore all that priorities, either exact +this one or this and any higher priority. If you use both extensions +than the exclamation mark must occur before the equation sign, just +use it intuitively. + +.SH ACTIONS +The action field of a rule describes what to do with the message. +In general, message content is written to a kind of "logfile". But +also other actions might be done, like writing to a database table +or forwarding to another host. + +Templates can be used with all actions. If used, the specified template +is used to generate the message content (instead of the default +template). To specify a template, write a semicolon after the action +value immediately followed by the template name. + +.B Beware: +templates MUST be defined BEFORE they are used. It is OK to define +some templates, then use them in selector lines, define more templates +and use use them in the following selector lines. But it is NOT permitted +to use a template in a selectore line that is above its definition. If you +do this, the selector line will be ignored. + +.SS Regular File +Typically messages are logged to real files. The file has to be +specified with full pathname, beginning with a slash ``/''. + +You may prefix each entry with the minus ``-'' sign to omit syncing +the file after every logging. Note that you might lose information if +the system crashes right behind a write attempt. Nevertheless this +might give you back some performance, especially if you run programs +that use logging in a very verbose manner. + +If your system is connected to a reliable UPS and you receive lots of +log data (e.g. firewall logs), it might be a very good idea to turn +of syncing by specifying the "-" in front of the file name. + +.SS Named Pipes +This version of +.BR rsyslogd (8) +has support for logging output to +named pipes (fifos). A fifo or named pipe can be used as +a destination for log messages by prepending a pipe symbol (``|'') to +the name of the file. This is handy for debugging. Note that the fifo +must be created with the +.BR mkfifo (1) +command before +.BR rsyslogd (8) +is started. + +.SS Terminal and Console +If the file you specified is a tty, special tty-handling is done, same +with +.IR /dev/console . + +.SS Remote Machine +.BR Rsyslogd (8) +provides full remote logging, i.e. is able to send messages to a +remote host running +.BR rsyslogd (8) +and to receive messages from remote hosts. The remote +host won't forward the message again, it will just log them +locally. To forward messages to another host, prepend the hostname +with the at sign (``@''). + +Using this feature you're able to control all rsyslog messages on one +host, if all other machines will log remotely to that. This tears down +administration needs. + +Please note that this version of rsyslogd does NOT forward messages +it has received from the network to another host. So it can NOT work +as a relay. If you need this functionality, either ask +rgerhards@adiscon.com or wait until it is configurable in the next +version. + +.SS List of Users +Usually critical messages are also directed to ``root'' on that +machine. You can specify a list of users that shall get the message by +simply writing the login. You may specify more than one user by +separating them with commas (``,''). If they're logged in they +get the message. Don't think a mail would be sent, that might be too +late. + +.SS Everyone logged on +Emergency messages often go to all users currently online to notify +them that something strange is happening with the system. To specify +this +.IR wall (1)-feature +use an asterisk (``*''). + +.SS Database Table +This allows logging of the message to a database table. Currently, only +MySQL databases are supported. By default, a MonitorWare-compatible schema +is required for this to work. You can create that schema with the +createDB.SQL file that came with the rsyslog package. You can also +use any other schema of your liking - you just need to define a proper +template and assign this template to the action. + +The database writer is called by specifying a greater-then sign (">") +in front of the database connect information. Immediately after that +sign the database host name must be given, a comma, the database name, +another comma, the database user, a comma and then the user's password. +If a specific template is to be used, a semicolong followed by the +template name can follow the connect information. This is as follows: + +.nf + >dbhost,dbname,dbuser,dbpassword;dbtemplate +.fi +.SH TEMPLATE NAME +Every ACTION can be followed by a template name. If so, that template is used +for message formatting. If no name is given, a hardcoded default template is +used for the action. +There can only be one template name for each given action. +The default template is specific to each action. For a +description of what a template is and what you can do with it, see +"TEMPLATES" at the top of this document. + +.SH EXAMPLES +Below are example for templates and selector lines. I hope they are +self-explanatory. If not, please see www.monitorware.com/rsyslog/ for +advise. +.SS TEMPLATES +Please note that +the samples are split across multiple lines. A template MUST NOT actually +be split across multiple lines. + +A template that resambles traditional syslogd file output: +.br +.nf +$template TraditionalFormat,"%timegenerated% %HOSTNAME% +%syslogtag%%msg:::drop-last-lf%\\n" +.fi + +A template that tells you a little more about the message: +.br +.nf +$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%, +%syslogtag%,%msg%\\n" +.fi + +A template for RFC 3164 format: +.br +.nf +$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%" +.fi + +A template for the format traditonally used for user messages: +.br +.nf +$template usermsg," XXXX%syslogtag%%msg%\\n\\r" +.fi + +And a template with the traditonal wall-message format: +.br +.nf +$template wallmsg,"\\r\\n\\7Message from syslogd@%HOSTNAME% at %timegenerated% +...\\r\\n %syslogtag%%msg%\\n\\r" +.fi + +A template that can be used for the database write (please note the SQL template +option) +.br +.nf +$template MySQLInsert,"insert iut, message, receivedat values +('%iut%', '%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') +into systemevents\\r\\n", SQL +.fi + +The following template emulates winsyslog format (it's a Adiscon format, you +do not feel bad if you don't know it ;)). It's interesting to see how it +takes different parts out of the date stamps. What happens is that the date +stamp is split into the actual date and time and the these two are combined +with just a comma in between them. + +.nf +$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%, +%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%, +%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%, +%syslogtag%%msg%\\n" +.fi + +.SS SELECTOR LINES +.IP +.nf +# Store critical stuff in critical +# +*.=crit;kern.none /var/adm/critical +.fi +.LP +This will store all messages with the priority +.B crit +in the file +.IR /var/adm/critical , +except for any kernel message. + +.IP +.nf +# Kernel messages are first, stored in the kernel +# file, critical messages and higher ones also go +# to another host and to the console. Messages to +# the host finlandia are forwarded in RFC 3164 +# format (using the template defined above). +# +kern.* /var/adm/kernel +kern.crit @finlandia;RFC3164fmt +kern.crit /dev/console +kern.info;kern.!err /var/adm/kernel-info +.fi +.LP +The first rule direct any message that has the kernel facility to the +file +.IR /var/adm/kernel . + +The second statement directs all kernel messages of the priority +.B crit +and higher to the remote host finlandia. This is useful, because if +the host crashes and the disks get irreparable errors you might not be +able to read the stored messages. If they're on a remote host, too, +you still can try to find out the reason for the crash. + +The third rule directs these messages to the actual console, so the +person who works on the machine will get them, too. + +The fourth line tells the rsyslogd to save all kernel messages that +come with priorities from +.BR info " up to " warning +in the file +.IR /var/adm/kernel-info . +Everything from +.I err +and higher is excluded. + +.IP +.nf +# The tcp wrapper loggs with mail.info, we display +# all the connections on tty12 +# +mail.=info /dev/tty12 +.fi +.LP +This directs all messages that uses +.BR mail.info " (in source " LOG_MAIL " | " LOG_INFO ) +to +.IR /dev/tty12 , +the 12th console. For example the tcpwrapper +.BR tcpd (8) +uses this as it's default. + +.IP +.nf +# Store all mail concerning stuff in a file +# +mail.*;mail.!=info /var/adm/mail +.fi +.LP +This pattern matches all messages that come with the +.B mail +facility, except for the +.B info +priority. These will be stored in the file +.IR /var/adm/mail . + +.IP +.nf +# Log all mail.info and news.info messages to info +# +mail,news.=info /var/adm/info +.fi +.LP +This will extract all messages that come either with +.BR mail.info " or with " news.info +and store them in the file +.IR /var/adm/info . + +.IP +.nf +# Log info and notice messages to messages file +# +*.=info;*.=notice;\\ + mail.none /var/log/messages +.fi +.LP +This lets +.B rsyslogd +log all messages that come with either the +.BR info " or the " notice +facility into the file +.IR /var/log/messages , +except for all messages that use the +.B mail +facility. + +.IP +.nf +# Log info messages to messages file +# +*.=info;\\ + mail,news.none /var/log/messages +.fi +.LP +This statement causes +.B rsyslogd +to log all messages that come with the +.B info +priority to the file +.IR /var/log/messages . +But any message coming either with the +.BR mail " or the " news +facility will not be stored. + +.IP +.nf +# Emergency messages will be displayed using wall +# +*.=emerg * +.fi +.LP +This rule tells the +.B rsyslogd +to write all emergency messages to all currently logged in users. This +is the wall action. + +.IP +.nf +# Messages of the priority alert will be directed +# to the operator +# +*.alert root,joey +.fi +.LP +This rule directs all messages with a priority of +.B alert +or higher to the terminals of the operator, i.e. of the users ``root'' +and ``joey'' if they're logged in. + +.IP +.nf +*.* @finlandia +.fi +.LP +This rule would redirect all messages to a remote host called +finlandia. This is useful especially in a cluster of machines where +all rsyslog messages will be stored on only one machine. + +.IP +.fi +*.* >dbhost,dbname,dbuser,dbpassword;dbtemplate +.nf +.LP +This rule writes all message to the database "dbname" hosted on "dbhost". +The login is done with user "dbuser" and password "dbpassword". The +actual table that is updated is specified within the template (which +contains the insert statement). The template is called "dbtemplate" +in this case. + +.SH CONFIGURATION FILE SYNTAX DIFFERENCES +.B Rsyslogd +uses a slightly different syntax for its configuration file than +the original BSD sources. Originally all messages of a specific priority +and above were forwarded to the log file. The modifiers ``='', ``!'' +and ``-'' were added to make +.B rsyslogd +more flexible and to use it in a more intuitive manner. + +The original BSD rsyslogd doesn't understand spaces as separators between +the selector and the action field. + +When compared to syslogd from sysklogd package, +.B rsyslogd +offers template support. For obvious reasons, the syntax for +template definitions is available in rsyslogd, only. The same +applies to the write database action. +.SH FILES +.PD 0 +.TP +.I /etc/rsyslog.conf +Configuration file for +.B rsyslogd + +.SH BUGS +The effects of multiple selectors are sometimes not intuitive. For +example ``mail.crit,*.err'' will select ``mail'' facility messages at +the level of ``err'' or higher, not at the level of ``crit'' or +higher. + +This is an early release. So be sure to check the file BUGS that came with +the package for all the fun it offers ;) +.SH SEE ALSO +.BR syslogd (8), +.BR logger (1), +.BR syslog (3) + +.SH AUTHORS +The +.B rsyslogd +is taken from sysklogd sources, which have been heavily modified +by Rainer Gerhards (rgerhards@adiscon.com) and others. diff --git a/rsyslogd.8 b/rsyslogd.8 new file mode 100644 index 00000000..777757d2 --- /dev/null +++ b/rsyslogd.8 @@ -0,0 +1,615 @@ +.\" Copyright 2004 Rainer Gerhards and Adiscon for the rsyslog modifications +.\" May be distributed under the GNU General Public License +.\" +.TH RSYSLOGD 8 "24 November 2004" "Version 0.8" "Linux System Administration" +.SH NAME +rsyslog \- reliable and extended syslogd +.SH SYNOPSIS +.B syslogd +.RB [ " \-a " +.I socket +] +.RB [ " \-d " ] +.RB [ " \-f " +.I config file +] +.RB [ " \-h " ] +.RB [ " \-l " +.I hostlist +] +.RB [ " \-m " +.I interval +] +.RB [ " \-n " ] +.RB [ " \-p" +.IB socket +] +.RB [ " \-r " ] +.RB [ " \-s " +.I domainlist +] +.RB [ " \-v " ] +.LP +.SH DESCRIPTION +.B rsyslogd +provides two system utilities which provide support for +system logging and kernel message trapping. Support of both internet and +unix domain sockets enables this utility package to support both local +and remote logging. + +System logging is provided by a version of +.BR syslogd (8) +derived from the sysklogd package which in turn is derived from the +stock BSD sources. Support for kernel logging is provided by the +.BR klogd (8) +utility which allows kernel logging to be conducted in either a +standalone fashion or as a client of syslogd. + +.B Syslogd +provides a kind of logging that many modern programs use. Every logged +message contains at least a time and a hostname field, normally a +program name field, too, but that depends on how trusty the logging +program is. The rsyslog package supports free definition of output formats +via templates. It also supports precise timestamps and writing directly +to MySQL databases. If the database option is used, tools like phpLogCon can +be used to view the log data. + +While the +.B syslogd +sources have been heavily modified a couple of notes +are in order. First of all there has been a systematic attempt to +insure that syslogd follows its default, standard BSD behavior. Of course, +some configuration file changes are necessary in order to support the +template system. However, rsyslog should be able to use a standard +syslog.conf and act like the orginal syslogd. However, an original syslogd +will not work correctly with a rsyslog-enhanced configuration file. At +best, it will generate funny looking file names. +The second important concept to note is that this version of syslogd +interacts transparently with the version of syslog found in the +standard libraries. If a binary linked to the standard shared +libraries fails to function correctly we would like an example of the +anomalous behavior. + +The main configuration file +.I /etc/syslog.conf +or an alternative file, given with the +.B "\-f" +option, is read at startup. Any lines that begin with the hash mark +(``#'') and empty lines are ignored. If an error occurs during parsing +the error element is ignored. It is tried to parse the rest of the line +and it most . + +.LP +.SH OPTIONS +.TP +.BI "\-a " "socket" +Using this argument you can specify additional sockets from that +.B syslogd +has to listen to. This is needed if you're going to let some daemon +run within a chroot() environment. You can use up to 19 additional +sockets. If your environment needs even more, you have to increase +the symbol +.B MAXFUNIX +within the syslogd.c source file. An example for a chroot() daemon is +described by the people from OpenBSD at +http://www.psionic.com/papers/dns.html. +.TP +.B "\-d" +Turns on debug mode. Using this the daemon will not proceed a +.BR fork (2) +to set itself in the background, but opposite to that stay in the +foreground and write much debug information on the current tty. See the +DEBUGGING section for more information. +.TP +.BI "\-f " "config file" +Specify an alternative configuration file instead of +.IR /etc/syslog.conf "," +which is the default. +.TP +.BI "\-h " +By default syslogd will not forward messages it receives from remote hosts. +Specifying this switch on the command line will cause the log daemon to +forward any remote messages it receives to forwarding hosts which have been +defined. +.TP +.BI "\-l " "hostlist" +Specify a hostname that should be logged only with its simple hostname +and not the fqdn. Multiple hosts may be specified using the colon +(``:'') separator. +.TP +.BI "\-m " "interval" +The +.B syslogd +logs a mark timestamp regularly. The default +.I interval +between two \fI-- MARK --\fR lines is 20 minutes. This can be changed +with this option. Setting the +.I interval +to zero turns it off entirely. +.TP +.B "\-n" +Avoid auto-backgrounding. This is needed especially if the +.B syslogd +is started and controlled by +.BR init (8). +.TP +.BI "\-p " "socket" +You can specify an alternative unix domain socket instead of +.IR /dev/log "." +.TP +.B "\-r" +This option will enable the facility to receive message from the +network using an internet domain socket with the syslog service (see +.BR services (5)). +The default is to not receive any messages from the network. + +This option is introduced in version 1.3 of the sysklogd +package. Please note that the default behavior is the opposite of +how older versions behave, so you might have to turn this on. +.TP +.BI "\-s " "domainlist" +Specify a domainname that should be stripped off before +logging. Multiple domains may be specified using the colon (``:'') +separator. +Please be advised that no sub-domains may be specified but only entire +domains. For example if +.B "\-s north.de" +is specified and the host logging resolves to satu.infodrom.north.de +no domain would be cut, you will have to specify two domains like: +.BR "\-s north.de:infodrom.north.de" . +.TP +.B "\-v" +Print version and exit. +.LP +.SH SIGNALS +.B Syslogd +reacts to a set of signals. You may easily send a signal to +.B syslogd +using the following: +.IP +.nf +kill -SIGNAL `cat /var/run/syslogd.pid` +.fi +.PP +.TP +.B SIGHUP +This lets +.B syslogd +perform a re-initialization. All open files are closed, the +configuration file (default is +.IR /etc/syslog.conf ")" +will be reread and the +.BR syslog (3) +facility is started again. +.TP +.B SIGTERM +The +.B syslogd +will die. +.TP +.BR SIGINT ", " SIGQUIT +If debugging is enabled these are ignored, otherwise +.B syslogd +will die. +.TP +.B SIGUSR1 +Switch debugging on/off. This option can only be used if +.B syslogd +is started with the +.B "\-d" +debug option. +.TP +.B SIGCHLD +Wait for childs if some were born, because of wall'ing messages. +.LP +.SH CONFIGURATION FILE SYNTAX DIFFERENCES +.B Syslogd +uses a slightly different syntax for its configuration file than +the original BSD sources. Originally all messages of a specific priority +and above were forwarded to the log file. +.IP +For example the following line caused ALL output from daemons using +the daemon facilities (debug is the lowest priority, so every higher +will also match) to go into +.IR /usr/adm/daemons : +.IP +.nf + # Sample syslog.conf + daemon.debug /usr/adm/daemons +.fi +.PP +Under the new scheme this behavior remains the same. The difference +is the addition of four new specifiers, the asterisk (\fB*\fR) +wildcard, the equation sign (\fB=\fR), the exclamation mark +(\fB!\fR), and the minus sign (\fB-\fR). + +The \fB*\fR specifies that all messages for the +specified facility are to be directed to the destination. Note that +this behavior is degenerate with specifying a priority level of debug. +Users have indicated that the asterisk notation is more intuitive. + +The \fB=\fR wildcard is used to restrict logging to the specified priority +class. This allows, for example, routing only debug messages to a +particular logging source. +.IP +For example the following line in +.I syslog.conf +would direct debug messages from all sources to the +.I /usr/adm/debug +file. +.IP +.nf + # Sample syslog.conf + *.=debug /usr/adm/debug +.fi +.PP +.\" The \fB!\fR as the first character of a priority inverts the above +.\" mentioned interpretation. +The \fB!\fR is used to exclude logging of the specified +priorities. This affects all (!) possibilities of specifying priorities. +.IP +For example the following lines would log all messages of the facility +mail except those with the priority info to the +.I /usr/adm/mail +file. And all messages from news.info (including) to news.crit +(excluding) would be logged to the +.I /usr/adm/news +file. +.IP +.nf + # Sample syslog.conf + mail.*;mail.!=info /usr/adm/mail + news.info;news.!crit /usr/adm/news +.fi +.PP +You may use it intuitively as an exception specifier. The above +mentioned interpretation is simply inverted. Doing that you may use + +.nf + mail.none +.fi +or +.nf + mail.!* +.fi +or +.nf + mail.!debug +.fi + +to skip every message that comes with a mail facility. There is much +room to play with it. :-) + +The \fB-\fR may only be used to prefix a filename if you want to omit +sync'ing the file after every write to it. + +This may take some acclimatization for those individuals used to the +pure BSD behavior but testers have indicated that this syntax is +somewhat more flexible than the BSD behavior. Note that these changes +should not affect standard +.BR syslog.conf (5) +files. You must specifically +modify the configuration files to obtain the enhanced behavior. +.LP +.SH SUPPORT FOR REMOTE LOGGING +These modifications provide network support to the syslogd facility. +Network support means that messages can be forwarded from one node +running syslogd to another node running syslogd where they will be +actually logged to a disk file. + +To enable this you have to specify the +.B "\-r" +option on the command line. The default behavior is that +.B syslogd +won't listen to the network. + +The strategy is to have syslogd listen on a unix domain socket for +locally generated log messages. This behavior will allow syslogd to +inter-operate with the syslog found in the standard C library. At the +same time syslogd listens on the standard syslog port for messages +forwarded from other hosts. To have this work correctly the +.BR services (5) +files (typically found in +.IR /etc ) +must have the following +entry: +.IP +.nf + syslog 514/udp +.fi +.PP +If this entry is missing +.B syslogd +neither can receive remote messages nor send them, because the UDP +port cant be opened. Instead +.B syslogd +will die immediately, blowing out an error message. + +To cause messages to be forwarded to another host replace +the normal file line in the +.I syslog.conf +file with the name of the host to which the messages is to be sent +prepended with an @. +.IP +For example, to forward +.B ALL +messages to a remote host use the +following +.I syslog.conf +entry: +.IP +.nf + # Sample syslogd configuration file to + # messages to a remote host forward all. + *.* @hostname +.fi + +To forward all \fBkernel\fP messages to a remote host the +configuration file would be as follows: +.IP +.nf + # Sample configuration file to forward all kernel + # messages to a remote host. + kern.* @hostname +.fi +.PP + +If the remote hostname cannot be resolved at startup, because the +name-server might not be accessible (it may be started after syslogd) +you don't have to worry. +.B Syslogd +will retry to resolve the name ten times and then complain. Another +possibility to avoid this is to place the hostname in +.IR /etc/hosts . + +With normal +.BR syslogd s +you would get syslog-loops if you send out messages that were received +from a remote host to the same host (or more complicated to a third +host that sends it back to the first one, and so on). In my domain +(Infodrom Oldenburg) we accidently got one and our disks filled up +with the same single message. :-( + +To avoid this in further times no messages that were received from a +remote host are sent out to another (or the same) remote host +anymore. If there are scenarios where this doesn't make sense, please +drop me (Joey) a line. + +If the remote host is located in the same domain as the host, +.B syslogd +is running on, only the simple hostname will be logged instead of +the whole fqdn. + +In a local network you may provide a central log server to have all +the important information kept on one machine. If the network consists +of different domains you don't have to complain about logging fully +qualified names instead of simple hostnames. You may want to use the +strip-domain feature +.B \-s +of this server. You can tell the +.B syslogd +to strip off several domains other than the one the server is located +in and only log simple hostnames. + +Using the +.B \-l +option there's also a possibility to define single hosts as local +machines. This, too, results in logging only their simple hostnames +and not the fqdns. + +The UDP socket used to forward messages to remote hosts or to receive +messages from them is only opened when it is needed. In releases +prior to 1.3-23 it was opened every time but not opened for reading or +forwarding respectively. + +.SH OUTPUT TO NAMED PIPES (FIFOs) +This version of syslogd has support for logging output to named pipes +(fifos). A fifo or named pipe can be used as a destination for log +messages by prepending a pipy symbol (``|'') to the name of the +file. This is handy for debugging. Note that the fifo must be created +with the mkfifo command before syslogd is started. +.IP +The following configuration file routes debug messages from the +kernel to a fifo: +.IP +.nf + # Sample configuration to route kernel debugging + # messages ONLY to /usr/adm/debug which is a + # named pipe. + kern.=debug |/usr/adm/debug +.fi +.LP +.SH INSTALLATION CONCERNS +There is probably one important consideration when installing this +version of syslogd. This version of syslogd is dependent on proper +formatting of messages by the syslog function. The functioning of the +syslog function in the shared libraries changed somewhere in the +region of libc.so.4.[2-4].n. The specific change was to +null-terminate the message before transmitting it to the +.I /dev/log +socket. Proper functioning of this version of syslogd is dependent on +null-termination of the message. + +This problem will typically manifest itself if old statically linked +binaries are being used on the system. Binaries using old versions of +the syslog function will cause empty lines to be logged followed by +the message with the first character in the message removed. +Relinking these binaries to newer versions of the shared libraries +will correct this problem. + +Both the +.BR syslogd "(8) and the " klogd (8) +can either be run from +.BR init (8) +or started as part of the rc.* +sequence. If it is started from init the option \fI\-n\fR must be set, +otherwise you'll get tons of syslog daemons started. This is because +.BR init (8) +depends on the process ID. +.LP +.SH SECURITY THREATS +There is the potential for the syslogd daemon to be +used as a conduit for a denial of service attack. Thanks go to John +Morrison (jmorriso@rflab.ee.ubc.ca) for alerting me to this potential. +A rogue program(mer) could very easily flood the syslogd daemon with +syslog messages resulting in the log files consuming all the remaining +space on the filesystem. Activating logging over the inet domain +sockets will of course expose a system to risks outside of programs or +individuals on the local machine. + +There are a number of methods of protecting a machine: +.IP 1. +Implement kernel firewalling to limit which hosts or networks have +access to the 514/UDP socket. +.IP 2. +Logging can be directed to an isolated or non-root filesystem which, +if filled, will not impair the machine. +.IP 3. +The ext2 filesystem can be used which can be configured to limit a +certain percentage of a filesystem to usage by root only. \fBNOTE\fP +that this will require syslogd to be run as a non-root process. +\fBALSO NOTE\fP that this will prevent usage of remote logging since +syslogd will be unable to bind to the 514/UDP socket. +.IP 4. +Disabling inet domain sockets will limit risk to the local machine. +.IP 5. +Use step 4 and if the problem persists and is not secondary to a rogue +program/daemon get a 3.5 ft (approx. 1 meter) length of sucker rod* +and have a chat with the user in question. + +Sucker rod def. \(em 3/4, 7/8 or 1in. hardened steel rod, male +threaded on each end. Primary use in the oil industry in Western +North Dakota and other locations to pump 'suck' oil from oil wells. +Secondary uses are for the construction of cattle feed lots and for +dealing with the occasional recalcitrant or belligerent individual. +.LP +.SH DEBUGGING +When debugging is turned on using +.B "\-d" +option then +.B syslogd +will be very verbose by writing much of what it does on stdout. Whenever +the configuration file is reread and re-parsed you'll see a tabular, +corresponding to the internal data structure. This tabular consists of +four fields: +.TP +.I number +This field contains a serial number starting by zero. This number +represents the position in the internal data structure (i.e. the +array). If one number is left out then there might be an error in the +corresponding line in +.IR /etc/syslog.conf . +.TP +.I pattern +This field is tricky and represents the internal structure +exactly. Every column stands for a facility (refer to +.BR syslog (3)). +As you can see, there are still some facilities left free for former +use, only the left most are used. Every field in a column represents +the priorities (refer to +.BR syslog (3)). +.TP +.I action +This field describes the particular action that takes place whenever a +message is received that matches the pattern. Refer to the +.BR syslog.conf (5) +manpage for all possible actions. +.TP +.I arguments +This field shows additional arguments to the actions in the last +field. For file-logging this is the filename for the logfile; for +user-logging this is a list of users; for remote logging this is the +hostname of the machine to log to; for console-logging this is the +used console; for tty-logging this is the specified tty; wall has no +additional arguments. +.SH FILES +.PD 0 +.TP +.I /etc/syslog.conf +Configuration file for +.BR syslogd . +See +.BR syslog.conf (5) +for exact information. +.TP +.I /dev/log +The Unix domain socket to from where local syslog messages are read. +.TP +.I /var/run/syslogd.pid +The file containing the process id of +.BR syslogd . +.PD +.SH BUGS +If an error occurs in one line the whole rule is ignored. + +.B Syslogd +doesn't change the filemode of opened logfiles at any stage of +process. If a file is created it is world readable. If you want to +avoid this, you have to create it and change permissions on your own. +This could be done in combination with rotating logfiles using the +.BR savelog (8) +program that is shipped in the +.B smail +3.x distribution. Remember that it might be a security hole if +everybody is able to read auth.* messages as these might contain +passwords. +.LP +.SH SEE ALSO +.BR syslog.conf (5), +.BR klogd (8), +.BR logger (1), +.BR syslog (2), +.BR syslog (3), +.BR services (5), +.BR savelog (8) +.LP +.SH COLLABORATORS +.B Syslogd +is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) +performed the port to Linux, Martin Schulze (joey@linux.de) +fixed some bugs and added several new features. +.B Klogd +was originally written by Steve Lord (lord@cray.com), Greg Wettstein +made major improvements. + +.PD 0 +.TP +Dr. Greg Wettstein +.TP +Enjellic Systems Development +.TP +Oncology Research Division Computing Facility +.TP +Roger Maris Cancer Center +.TP +Fargo, ND +.TP +greg@wind.enjellic.com + +.TP +Stephen Tweedie +.TP +Department of Computer Science +.TP +Edinburgh University, Scotland +.TP +sct@dcs.ed.ac.uk + +.TP +Juha Virtanen +.TP +jiivee@hut.fi + +.TP +Shane Alderton +.TP +shane@ion.apana.org.au + +.TP +Martin Schulze +.TP +Infodrom Oldenburg +.TP +joey@linux.de +.PD +.zZ diff --git a/sysklogd.8 b/sysklogd.8 deleted file mode 100644 index ccf1e654..00000000 --- a/sysklogd.8 +++ /dev/null @@ -1,607 +0,0 @@ -.\" Copyright 1994 Dr. Greg Wettstein, Enjellic Systems Development. -.\" May be distributed under the GNU General Public License -.\" Sun Aug 30 11:35:55 MET: Martin Schulze: Updates -.\" -.TH SYSKLOGD 8 "12 October 1998" "Version 1.3" "Linux System Administration" -.SH NAME -sysklogd \- Linux system logging utilities. -.SH SYNOPSIS -.B syslogd -.RB [ " \-a " -.I socket -] -.RB [ " \-d " ] -.RB [ " \-f " -.I config file -] -.RB [ " \-h " ] -.RB [ " \-l " -.I hostlist -] -.RB [ " \-m " -.I interval -] -.RB [ " \-n " ] -.RB [ " \-p" -.IB socket -] -.RB [ " \-r " ] -.RB [ " \-s " -.I domainlist -] -.RB [ " \-v " ] -.LP -.SH DESCRIPTION -.B Sysklogd -provides two system utilities which provide support for -system logging and kernel message trapping. Support of both internet and -unix domain sockets enables this utility package to support both local -and remote logging. - -System logging is provided by a version of -.BR syslogd (8) -derived from the -stock BSD sources. Support for kernel logging is provided by the -.BR klogd (8) -utility which allows kernel logging to be conducted in either a -standalone fashion or as a client of syslogd. - -.B Syslogd -provides a kind of logging that many modern programs use. Every logged -message contains at least a time and a hostname field, normally a -program name field, too, but that depends on how trusty the logging -program is. - -While the -.B syslogd -sources have been heavily modified a couple of notes -are in order. First of all there has been a systematic attempt to -insure that syslogd follows its default, standard BSD behavior. -The second important concept to note is that this version of syslogd -interacts transparently with the version of syslog found in the -standard libraries. If a binary linked to the standard shared -libraries fails to function correctly we would like an example of the -anomalous behavior. - -The main configuration file -.I /etc/syslog.conf -or an alternative file, given with the -.B "\-f" -option, is read at startup. Any lines that begin with the hash mark -(``#'') and empty lines are ignored. If an error occurs during parsing -the whole line is ignored. - -.LP -.SH OPTIONS -.TP -.BI "\-a " "socket" -Using this argument you can specify additional sockets from that -.B syslogd -has to listen to. This is needed if you're going to let some daemon -run within a chroot() environment. You can use up to 19 additional -sockets. If your environment needs even more, you have to increase -the symbol -.B MAXFUNIX -within the syslogd.c source file. An example for a chroot() daemon is -described by the people from OpenBSD at -http://www.psionic.com/papers/dns.html. -.TP -.B "\-d" -Turns on debug mode. Using this the daemon will not proceed a -.BR fork (2) -to set itself in the background, but opposite to that stay in the -foreground and write much debug information on the current tty. See the -DEBUGGING section for more information. -.TP -.BI "\-f " "config file" -Specify an alternative configuration file instead of -.IR /etc/syslog.conf "," -which is the default. -.TP -.BI "\-h " -By default syslogd will not forward messages it receives from remote hosts. -Specifying this switch on the command line will cause the log daemon to -forward any remote messages it receives to forwarding hosts which have been -defined. -.TP -.BI "\-l " "hostlist" -Specify a hostname that should be logged only with its simple hostname -and not the fqdn. Multiple hosts may be specified using the colon -(``:'') separator. -.TP -.BI "\-m " "interval" -The -.B syslogd -logs a mark timestamp regularly. The default -.I interval -between two \fI-- MARK --\fR lines is 20 minutes. This can be changed -with this option. Setting the -.I interval -to zero turns it off entirely. -.TP -.B "\-n" -Avoid auto-backgrounding. This is needed especially if the -.B syslogd -is started and controlled by -.BR init (8). -.TP -.BI "\-p " "socket" -You can specify an alternative unix domain socket instead of -.IR /dev/log "." -.TP -.B "\-r" -This option will enable the facility to receive message from the -network using an internet domain socket with the syslog service (see -.BR services (5)). -The default is to not receive any messages from the network. - -This option is introduced in version 1.3 of the sysklogd -package. Please note that the default behavior is the opposite of -how older versions behave, so you might have to turn this on. -.TP -.BI "\-s " "domainlist" -Specify a domainname that should be stripped off before -logging. Multiple domains may be specified using the colon (``:'') -separator. -Please be advised that no sub-domains may be specified but only entire -domains. For example if -.B "\-s north.de" -is specified and the host logging resolves to satu.infodrom.north.de -no domain would be cut, you will have to specify two domains like: -.BR "\-s north.de:infodrom.north.de" . -.TP -.B "\-v" -Print version and exit. -.LP -.SH SIGNALS -.B Syslogd -reacts to a set of signals. You may easily send a signal to -.B syslogd -using the following: -.IP -.nf -kill -SIGNAL `cat /var/run/syslogd.pid` -.fi -.PP -.TP -.B SIGHUP -This lets -.B syslogd -perform a re-initialization. All open files are closed, the -configuration file (default is -.IR /etc/syslog.conf ")" -will be reread and the -.BR syslog (3) -facility is started again. -.TP -.B SIGTERM -The -.B syslogd -will die. -.TP -.BR SIGINT ", " SIGQUIT -If debugging is enabled these are ignored, otherwise -.B syslogd -will die. -.TP -.B SIGUSR1 -Switch debugging on/off. This option can only be used if -.B syslogd -is started with the -.B "\-d" -debug option. -.TP -.B SIGCHLD -Wait for childs if some were born, because of wall'ing messages. -.LP -.SH CONFIGURATION FILE SYNTAX DIFFERENCES -.B Syslogd -uses a slightly different syntax for its configuration file than -the original BSD sources. Originally all messages of a specific priority -and above were forwarded to the log file. -.IP -For example the following line caused ALL output from daemons using -the daemon facilities (debug is the lowest priority, so every higher -will also match) to go into -.IR /usr/adm/daemons : -.IP -.nf - # Sample syslog.conf - daemon.debug /usr/adm/daemons -.fi -.PP -Under the new scheme this behavior remains the same. The difference -is the addition of four new specifiers, the asterisk (\fB*\fR) -wildcard, the equation sign (\fB=\fR), the exclamation mark -(\fB!\fR), and the minus sign (\fB-\fR). - -The \fB*\fR specifies that all messages for the -specified facility are to be directed to the destination. Note that -this behavior is degenerate with specifying a priority level of debug. -Users have indicated that the asterisk notation is more intuitive. - -The \fB=\fR wildcard is used to restrict logging to the specified priority -class. This allows, for example, routing only debug messages to a -particular logging source. -.IP -For example the following line in -.I syslog.conf -would direct debug messages from all sources to the -.I /usr/adm/debug -file. -.IP -.nf - # Sample syslog.conf - *.=debug /usr/adm/debug -.fi -.PP -.\" The \fB!\fR as the first character of a priority inverts the above -.\" mentioned interpretation. -The \fB!\fR is used to exclude logging of the specified -priorities. This affects all (!) possibilities of specifying priorities. -.IP -For example the following lines would log all messages of the facility -mail except those with the priority info to the -.I /usr/adm/mail -file. And all messages from news.info (including) to news.crit -(excluding) would be logged to the -.I /usr/adm/news -file. -.IP -.nf - # Sample syslog.conf - mail.*;mail.!=info /usr/adm/mail - news.info;news.!crit /usr/adm/news -.fi -.PP -You may use it intuitively as an exception specifier. The above -mentioned interpretation is simply inverted. Doing that you may use - -.nf - mail.none -.fi -or -.nf - mail.!* -.fi -or -.nf - mail.!debug -.fi - -to skip every message that comes with a mail facility. There is much -room to play with it. :-) - -The \fB-\fR may only be used to prefix a filename if you want to omit -sync'ing the file after every write to it. - -This may take some acclimatization for those individuals used to the -pure BSD behavior but testers have indicated that this syntax is -somewhat more flexible than the BSD behavior. Note that these changes -should not affect standard -.BR syslog.conf (5) -files. You must specifically -modify the configuration files to obtain the enhanced behavior. -.LP -.SH SUPPORT FOR REMOTE LOGGING -These modifications provide network support to the syslogd facility. -Network support means that messages can be forwarded from one node -running syslogd to another node running syslogd where they will be -actually logged to a disk file. - -To enable this you have to specify the -.B "\-r" -option on the command line. The default behavior is that -.B syslogd -won't listen to the network. - -The strategy is to have syslogd listen on a unix domain socket for -locally generated log messages. This behavior will allow syslogd to -inter-operate with the syslog found in the standard C library. At the -same time syslogd listens on the standard syslog port for messages -forwarded from other hosts. To have this work correctly the -.BR services (5) -files (typically found in -.IR /etc ) -must have the following -entry: -.IP -.nf - syslog 514/udp -.fi -.PP -If this entry is missing -.B syslogd -neither can receive remote messages nor send them, because the UDP -port cant be opened. Instead -.B syslogd -will die immediately, blowing out an error message. - -To cause messages to be forwarded to another host replace -the normal file line in the -.I syslog.conf -file with the name of the host to which the messages is to be sent -prepended with an @. -.IP -For example, to forward -.B ALL -messages to a remote host use the -following -.I syslog.conf -entry: -.IP -.nf - # Sample syslogd configuration file to - # messages to a remote host forward all. - *.* @hostname -.fi - -To forward all \fBkernel\fP messages to a remote host the -configuration file would be as follows: -.IP -.nf - # Sample configuration file to forward all kernel - # messages to a remote host. - kern.* @hostname -.fi -.PP - -If the remote hostname cannot be resolved at startup, because the -name-server might not be accessible (it may be started after syslogd) -you don't have to worry. -.B Syslogd -will retry to resolve the name ten times and then complain. Another -possibility to avoid this is to place the hostname in -.IR /etc/hosts . - -With normal -.BR syslogd s -you would get syslog-loops if you send out messages that were received -from a remote host to the same host (or more complicated to a third -host that sends it back to the first one, and so on). In my domain -(Infodrom Oldenburg) we accidently got one and our disks filled up -with the same single message. :-( - -To avoid this in further times no messages that were received from a -remote host are sent out to another (or the same) remote host -anymore. If there are scenarios where this doesn't make sense, please -drop me (Joey) a line. - -If the remote host is located in the same domain as the host, -.B syslogd -is running on, only the simple hostname will be logged instead of -the whole fqdn. - -In a local network you may provide a central log server to have all -the important information kept on one machine. If the network consists -of different domains you don't have to complain about logging fully -qualified names instead of simple hostnames. You may want to use the -strip-domain feature -.B \-s -of this server. You can tell the -.B syslogd -to strip off several domains other than the one the server is located -in and only log simple hostnames. - -Using the -.B \-l -option there's also a possibility to define single hosts as local -machines. This, too, results in logging only their simple hostnames -and not the fqdns. - -The UDP socket used to forward messages to remote hosts or to receive -messages from them is only opened when it is needed. In releases -prior to 1.3-23 it was opened every time but not opened for reading or -forwarding respectively. - -.SH OUTPUT TO NAMED PIPES (FIFOs) -This version of syslogd has support for logging output to named pipes -(fifos). A fifo or named pipe can be used as a destination for log -messages by prepending a pipy symbol (``|'') to the name of the -file. This is handy for debugging. Note that the fifo must be created -with the mkfifo command before syslogd is started. -.IP -The following configuration file routes debug messages from the -kernel to a fifo: -.IP -.nf - # Sample configuration to route kernel debugging - # messages ONLY to /usr/adm/debug which is a - # named pipe. - kern.=debug |/usr/adm/debug -.fi -.LP -.SH INSTALLATION CONCERNS -There is probably one important consideration when installing this -version of syslogd. This version of syslogd is dependent on proper -formatting of messages by the syslog function. The functioning of the -syslog function in the shared libraries changed somewhere in the -region of libc.so.4.[2-4].n. The specific change was to -null-terminate the message before transmitting it to the -.I /dev/log -socket. Proper functioning of this version of syslogd is dependent on -null-termination of the message. - -This problem will typically manifest itself if old statically linked -binaries are being used on the system. Binaries using old versions of -the syslog function will cause empty lines to be logged followed by -the message with the first character in the message removed. -Relinking these binaries to newer versions of the shared libraries -will correct this problem. - -Both the -.BR syslogd "(8) and the " klogd (8) -can either be run from -.BR init (8) -or started as part of the rc.* -sequence. If it is started from init the option \fI\-n\fR must be set, -otherwise you'll get tons of syslog daemons started. This is because -.BR init (8) -depends on the process ID. -.LP -.SH SECURITY THREATS -There is the potential for the syslogd daemon to be -used as a conduit for a denial of service attack. Thanks go to John -Morrison (jmorriso@rflab.ee.ubc.ca) for alerting me to this potential. -A rogue program(mer) could very easily flood the syslogd daemon with -syslog messages resulting in the log files consuming all the remaining -space on the filesystem. Activating logging over the inet domain -sockets will of course expose a system to risks outside of programs or -individuals on the local machine. - -There are a number of methods of protecting a machine: -.IP 1. -Implement kernel firewalling to limit which hosts or networks have -access to the 514/UDP socket. -.IP 2. -Logging can be directed to an isolated or non-root filesystem which, -if filled, will not impair the machine. -.IP 3. -The ext2 filesystem can be used which can be configured to limit a -certain percentage of a filesystem to usage by root only. \fBNOTE\fP -that this will require syslogd to be run as a non-root process. -\fBALSO NOTE\fP that this will prevent usage of remote logging since -syslogd will be unable to bind to the 514/UDP socket. -.IP 4. -Disabling inet domain sockets will limit risk to the local machine. -.IP 5. -Use step 4 and if the problem persists and is not secondary to a rogue -program/daemon get a 3.5 ft (approx. 1 meter) length of sucker rod* -and have a chat with the user in question. - -Sucker rod def. \(em 3/4, 7/8 or 1in. hardened steel rod, male -threaded on each end. Primary use in the oil industry in Western -North Dakota and other locations to pump 'suck' oil from oil wells. -Secondary uses are for the construction of cattle feed lots and for -dealing with the occasional recalcitrant or belligerent individual. -.LP -.SH DEBUGGING -When debugging is turned on using -.B "\-d" -option then -.B syslogd -will be very verbose by writing much of what it does on stdout. Whenever -the configuration file is reread and re-parsed you'll see a tabular, -corresponding to the internal data structure. This tabular consists of -four fields: -.TP -.I number -This field contains a serial number starting by zero. This number -represents the position in the internal data structure (i.e. the -array). If one number is left out then there might be an error in the -corresponding line in -.IR /etc/syslog.conf . -.TP -.I pattern -This field is tricky and represents the internal structure -exactly. Every column stands for a facility (refer to -.BR syslog (3)). -As you can see, there are still some facilities left free for former -use, only the left most are used. Every field in a column represents -the priorities (refer to -.BR syslog (3)). -.TP -.I action -This field describes the particular action that takes place whenever a -message is received that matches the pattern. Refer to the -.BR syslog.conf (5) -manpage for all possible actions. -.TP -.I arguments -This field shows additional arguments to the actions in the last -field. For file-logging this is the filename for the logfile; for -user-logging this is a list of users; for remote logging this is the -hostname of the machine to log to; for console-logging this is the -used console; for tty-logging this is the specified tty; wall has no -additional arguments. -.SH FILES -.PD 0 -.TP -.I /etc/syslog.conf -Configuration file for -.BR syslogd . -See -.BR syslog.conf (5) -for exact information. -.TP -.I /dev/log -The Unix domain socket to from where local syslog messages are read. -.TP -.I /var/run/syslogd.pid -The file containing the process id of -.BR syslogd . -.PD -.SH BUGS -If an error occurs in one line the whole rule is ignored. - -.B Syslogd -doesn't change the filemode of opened logfiles at any stage of -process. If a file is created it is world readable. If you want to -avoid this, you have to create it and change permissions on your own. -This could be done in combination with rotating logfiles using the -.BR savelog (8) -program that is shipped in the -.B smail -3.x distribution. Remember that it might be a security hole if -everybody is able to read auth.* messages as these might contain -passwords. -.LP -.SH SEE ALSO -.BR syslog.conf (5), -.BR klogd (8), -.BR logger (1), -.BR syslog (2), -.BR syslog (3), -.BR services (5), -.BR savelog (8) -.LP -.SH COLLABORATORS -.B Syslogd -is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) -performed the port to Linux, Martin Schulze (joey@linux.de) -fixed some bugs and added several new features. -.B Klogd -was originally written by Steve Lord (lord@cray.com), Greg Wettstein -made major improvements. - -.PD 0 -.TP -Dr. Greg Wettstein -.TP -Enjellic Systems Development -.TP -Oncology Research Division Computing Facility -.TP -Roger Maris Cancer Center -.TP -Fargo, ND -.TP -greg@wind.enjellic.com - -.TP -Stephen Tweedie -.TP -Department of Computer Science -.TP -Edinburgh University, Scotland -.TP -sct@dcs.ed.ac.uk - -.TP -Juha Virtanen -.TP -jiivee@hut.fi - -.TP -Shane Alderton -.TP -shane@ion.apana.org.au - -.TP -Martin Schulze -.TP -Infodrom Oldenburg -.TP -joey@linux.de -.PD -.zZ diff --git a/syslog.conf.5 b/syslog.conf.5 deleted file mode 100644 index 7f40c1cb..00000000 --- a/syslog.conf.5 +++ /dev/null @@ -1,397 +0,0 @@ -.\" syslog.conf - syslogd(8) configuration file -.\" Copyright (c) 1995 Martin Schulze -.\" -.\" This file is part of the sysklogd package, a kernel and system log daemon. -.\" -.\" This program is free software; you can redistribute it and/or modify -.\" it under the terms of the GNU General Public License as published by -.\" the Free Software Foundation; either version 2 of the License, or -.\" (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program; if not, write to the Free Software -.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. -.\" -.TH SYSLOG.CONF 5 "1 January 1998" "Version 1.3" "Linux System Administration" -.SH NAME -syslog.conf \- syslogd(8) configuration file -.SH DESCRIPTION -The -.I syslog.conf -file is the main configuration file for the -.BR syslogd (8) -which logs system messages on *nix systems. This file specifies rules -for logging. For special features see the -.BR sysklogd (8) -manpage. - -Every rule consists of two fields, a -.I selector -field and an -.I action -field. These two fields are separated by one or more spaces or -tabs. The selector field specifies a pattern of facilities and -priorities belonging to the specified action. - -Lines starting with a hash mark (``#'') and empty lines are ignored. - -This release of -.B syslogd -is able to understand an extended syntax. One rule can be divided -into several lines if the leading line is terminated with an backslash -(``\\''). - -.SH SELECTORS -The selector field itself again consists of two parts, a -.I facility -and a -.IR priority , -separated by a period (``.''). -Both parts are case insensitive and can also be specified as decimal -numbers, but don't do that, you have been warned. Both facilities and -priorities are described in -.BR syslog (3). -The names mentioned below correspond to the similar -.BR LOG_ -values -in -.IR /usr/include/syslog.h . - -The -.I facility -is one of the following keywords: -.BR auth ", " authpriv ", " cron ", " daemon ", " kern ", " lpr ", " -.BR mail ", " mark ", " news ", " security " (same as " auth "), " -.BR syslog ", " user ", " uucp " and " local0 " through " local7 . -The keyword -.B security -should not be used anymore and -.B mark -is only for internal use and therefore should not be used in -applications. Anyway, you may want to specify and redirect these -messages here. The -.I facility -specifies the subsystem that produced the message, i.e. all mail -programs log with the mail facility -.BR "" ( LOG_MAIL ) -if they log using syslog. - -The -.I priority -is one of the following keywords, in ascending order: -.BR debug ", " info ", " notice ", " warning ", " warn " (same as " -.BR warning "), " err ", " error " (same as " err "), " crit ", " -.BR alert ", " emerg ", " panic " (same as " emerg ). -The keywords -.BR error ", " warn " and " panic -are deprecated and should not be used anymore. The -.I priority -defines the severity of the message - -The behavior of the original BSD syslogd is that all messages of the -specified priority and higher are logged according to the given -action. This -.BR syslogd (8) -behaves the same, but has some extensions. - -In addition to the above mentioned names the -.BR syslogd (8) -understands the following extensions: An asterisk (``*'') stands for -all facilities or all priorities, depending on where it is used -(before or after the period). The keyword -.B none -stands for no priority of the given facility. - -You can specify multiple facilities with the same priority pattern in -one statement using the comma (``,'') operator. You may specify as -much facilities as you want. Remember that only the facility part from -such a statement is taken, a priority part would be skipped. - -Multiple selectors may be specified for a single -.I action -using the semicolon (``;'') separator. Remember that each selector in -the -.I selector -field is capable to overwrite the preceding ones. Using this -behavior you can exclude some priorities from the pattern. - -This -.BR syslogd (8) -has a syntax extension to the original BSD source, that makes its use -more intuitively. You may precede every priority with an equation sign -(``='') to specify only this single priority and not any of the -above. You may also (both is valid, too) precede the priority with an -exclamation mark (``!'') to ignore all that priorities, either exact -this one or this and any higher priority. If you use both extensions -than the exclamation mark must occur before the equation sign, just -use it intuitively. - -.SH ACTIONS -The action field of a rule describes the abstract term -``logfile''. A ``logfile'' need not to be a real file, btw. The -.BR syslogd (8) -provides the following actions. - -.SS Regular File -Typically messages are logged to real files. The file has to be -specified with full pathname, beginning with a slash ``/''. - -You may prefix each entry with the minus ``-'' sign to omit syncing -the file after every logging. Note that you might lose information if -the system crashes right behind a write attempt. Nevertheless this -might give you back some performance, especially if you run programs -that use logging in a very verbose manner. - -.SS Named Pipes -This version of -.BR syslogd (8) -has support for logging output to -named pipes (fifos). A fifo or named pipe can be used as -a destination for log messages by prepending a pipe symbol (``|'') to -the name of the file. This is handy for debugging. Note that the fifo -must be created with the -.BR mkfifo (1) -command before -.BR syslogd (8) -is started. - -.SS Terminal and Console -If the file you specified is a tty, special tty-handling is done, same -with -.IR /dev/console . - -.SS Remote Machine -This -.BR syslogd (8) -provides full remote logging, i.e. is able to send messages to a -remote host running -.BR syslogd (8) -and to receive messages from remote hosts. The remote -host won't forward the message again, it will just log them -locally. To forward messages to another host, prepend the hostname -with the at sign (``@''). - -Using this feature you're able to control all syslog messages on one -host, if all other machines will log remotely to that. This tears down -administration needs. - -.SS List of Users -Usually critical messages are also directed to ``root'' on that -machine. You can specify a list of users that shall get the message by -simply writing the login. You may specify more than one user by -separating them with commas (``,''). If they're logged in they -get the message. Don't think a mail would be sent, that might be too -late. - -.SS Everyone logged on -Emergency messages often go to all users currently online to notify -them that something strange is happening with the system. To specify -this -.IR wall (1)-feature -use an asterisk (``*''). - -.SH EXAMPLES -Here are some example, partially taken from a real existing site and -configuration. Hopefully they rub out all questions to the -configuration, if not, drop me (Joey) a line. -.IP -.nf -# Store critical stuff in critical -# -*.=crit;kern.none /var/adm/critical -.fi -.LP -This will store all messages with the priority -.B crit -in the file -.IR /var/adm/critical , -except for any kernel message. - -.IP -.nf -# Kernel messages are first, stored in the kernel -# file, critical messages and higher ones also go -# to another host and to the console -# -kern.* /var/adm/kernel -kern.crit @finlandia -kern.crit /dev/console -kern.info;kern.!err /var/adm/kernel-info -.fi -.LP -The first rule direct any message that has the kernel facility to the -file -.IR /var/adm/kernel . - -The second statement directs all kernel messages of the priority -.B crit -and higher to the remote host finlandia. This is useful, because if -the host crashes and the disks get irreparable errors you might not be -able to read the stored messages. If they're on a remote host, too, -you still can try to find out the reason for the crash. - -The third rule directs these messages to the actual console, so the -person who works on the machine will get them, too. - -The fourth line tells the syslogd to save all kernel messages that -come with priorities from -.BR info " up to " warning -in the file -.IR /var/adm/kernel-info . -Everything from -.I err -and higher is excluded. - -.IP -.nf -# The tcp wrapper loggs with mail.info, we display -# all the connections on tty12 -# -mail.=info /dev/tty12 -.fi -.LP -This directs all messages that uses -.BR mail.info " (in source " LOG_MAIL " | " LOG_INFO ) -to -.IR /dev/tty12 , -the 12th console. For example the tcpwrapper -.BR tcpd (8) -uses this as it's default. - -.IP -.nf -# Store all mail concerning stuff in a file -# -mail.*;mail.!=info /var/adm/mail -.fi -.LP -This pattern matches all messages that come with the -.B mail -facility, except for the -.B info -priority. These will be stored in the file -.IR /var/adm/mail . - -.IP -.nf -# Log all mail.info and news.info messages to info -# -mail,news.=info /var/adm/info -.fi -.LP -This will extract all messages that come either with -.BR mail.info " or with " news.info -and store them in the file -.IR /var/adm/info . - -.IP -.nf -# Log info and notice messages to messages file -# -*.=info;*.=notice;\\ - mail.none /var/log/messages -.fi -.LP -This lets the -.B syslogd -log all messages that come with either the -.BR info " or the " notice -facility into the file -.IR /var/log/messages , -except for all messages that use the -.B mail -facility. - -.IP -.nf -# Log info messages to messages file -# -*.=info;\\ - mail,news.none /var/log/messages -.fi -.LP -This statement causes the -.B syslogd -to log all messages that come with the -.B info -priority to the file -.IR /var/log/messages . -But any message coming either with the -.BR mail " or the " news -facility will not be stored. - -.IP -.nf -# Emergency messages will be displayed using wall -# -*.=emerg * -.fi -.LP -This rule tells the -.B syslogd -to write all emergency messages to all currently logged in users. This -is the wall action. - -.IP -.nf -# Messages of the priority alert will be directed -# to the operator -# -*.alert root,joey -.fi -.LP -This rule directs all messages with a priority of -.B alert -or higher to the terminals of the operator, i.e. of the users ``root'' -and ``joey'' if they're logged in. - -.IP -.nf -*.* @finlandia -.fi -.LP -This rule would redirect all messages to a remote host called -finlandia. This is useful especially in a cluster of machines where -all syslog messages will be stored on only one machine. - -.SH CONFIGURATION FILE SYNTAX DIFFERENCES -.B Syslogd -uses a slightly different syntax for its configuration file than -the original BSD sources. Originally all messages of a specific priority -and above were forwarded to the log file. The modifiers ``='', ``!'' -and ``-'' were added to make the -.B syslogd -more flexible and to use it in a more intuitive manner. - -The original BSD syslogd doesn't understand spaces as separators between -the selector and the action field. -.SH FILES -.PD 0 -.TP -.I /etc/syslog.conf -Configuration file for -.B syslogd - -.SH BUGS -The effects of multiple selectors are sometimes not intuitive. For -example ``mail.crit,*.err'' will select ``mail'' facility messages at -the level of ``err'' or higher, not at the level of ``crit'' or -higher. - -.SH SEE ALSO -.BR sysklogd (8), -.BR klogd (8), -.BR logger (1), -.BR syslog (2), -.BR syslog (3) - -.SH AUTHORS -The -.B syslogd -is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) -performed the port to Linux, Martin Schulze (joey@linux.de) -made some bugfixes and added some new features. diff --git a/syslogd.8 b/syslogd.8 deleted file mode 100644 index d5ef84b6..00000000 --- a/syslogd.8 +++ /dev/null @@ -1 +0,0 @@ -.so man8/sysklogd.8 diff --git a/syslogd.c b/syslogd.c index 85969c1f..191fd2bf 100644 --- a/syslogd.c +++ b/syslogd.c @@ -61,7 +61,7 @@ * This license applies to the new code not in sysklogd: * * rsyslog - An Enhanced syslogd Replacement. - * Copyright 2003-2004 Rainer Gerhards and Adiscon GmbH. + * Copyright 2003-2005 Rainer Gerhards and Adiscon GmbH. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License -- cgit v1.2.3