1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
|
SYSLOG.CONF(5) Linux System Administration SYSLOG.CONF(5)
NAME
syslog.conf - syslogd(8) configuration file
DESCRIPTION
The syslog.conf file is the main configuration file for the syslogd(8) which logs system
messages on *nix systems. This file specifies rules for logging. For special features
see the sysklogd(8) manpage.
Every rule consists of two fields, a selector field and an action field. These two fields
are separated by one or more spaces or tabs. The selector field specifies a pattern of
facilities and priorities belonging to the specified action.
Lines starting with a hash mark (``#'') and empty lines are ignored.
This release of syslogd is able to understand an extended syntax. One rule can be divided
into several lines if the leading line is terminated with an backslash (``\'').
SELECTORS
The selector field itself again consists of two parts, a facility and a priority, sepa-
rated by a period (``.''). Both parts are case insensitive and can also be specified as
decimal numbers, but don't do that, you have been warned. Both facilities and priorities
are described in syslog(3). The names mentioned below correspond to the similar LOG_-val-
ues in /usr/include/syslog.h.
The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr,
mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.
The keyword security should not be used anymore and mark is only for internal use and
therefore should not be used in applications. Anyway, you may want to specify and redi-
rect these messages here. The facility specifies the subsystem that produced the message,
i.e. all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.
The priority is one of the following keywords, in ascending order: debug, info, notice,
warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same
as emerg). The keywords error, warn and panic are deprecated and should not be used any-
more. The priority defines the severity of the message
The behavior of the original BSD syslogd is that all messages of the specified priority
and higher are logged according to the given action. This syslogd(8) behaves the same,
but has some extensions.
In addition to the above mentioned names the syslogd(8) understands the following exten-
sions: An asterisk (``*'') stands for all facilities or all priorities, depending on where
it is used (before or after the period). The keyword none stands for no priority of the
given facility.
You can specify multiple facilities with the same priority pattern in one statement using
the comma (``,'') operator. You may specify as much facilities as you want. Remember
that only the facility part from such a statement is taken, a priority part would be
skipped.
Multiple selectors may be specified for a single action using the semicolon (``;'') sepa-
rator. Remember that each selector in the selector field is capable to overwrite the pre-
ceding ones. Using this behavior you can exclude some priorities from the pattern.
This syslogd(8) has a syntax extension to the original BSD source, that makes its use more
intuitively. You may precede every priority with an equation sign (``='') to specify only
this single priority and not any of the above. You may also (both is valid, too) precede
the priority with an exclamation mark (``!'') to ignore all that priorities, either exact
this one or this and any higher priority. If you use both extensions than the exclamation
mark must occur before the equation sign, just use it intuitively.
ACTIONS
The action field of a rule describes the abstract term ``logfile''. A ``logfile'' need
not to be a real file, btw. The syslogd(8) provides the following actions.
Regular File
Typically messages are logged to real files. The file has to be specified with full path-
name, beginning with a slash ``/''.
You may prefix each entry with the minus ``-'' sign to omit syncing the file after every
logging. Note that you might lose information if the system crashes right behind a write
attempt. Nevertheless this might give you back some performance, especially if you run
programs that use logging in a very verbose manner.
Named Pipes
This version of syslogd(8) has support for logging output to named pipes (fifos). A fifo
or named pipe can be used as a destination for log messages by prepending a pipe symbol
(``|'') to the name of the file. This is handy for debugging. Note that the fifo must be
created with the mkfifo(1) command before syslogd(8) is started.
Terminal and Console
If the file you specified is a tty, special tty-handling is done, same with /dev/console.
Remote Machine
This syslogd(8) provides full remote logging, i.e. is able to send messages to a remote
host running syslogd(8) and to receive messages from remote hosts. The remote host won't
forward the message again, it will just log them locally. To forward messages to another
host, prepend the hostname with the at sign (``@'').
Using this feature you're able to control all syslog messages on one host, if all other
machines will log remotely to that. This tears down administration needs.
List of Users
Usually critical messages are also directed to ``root'' on that machine. You can specify
a list of users that shall get the message by simply writing the login. You may specify
more than one user by separating them with commas (``,''). If they're logged in they get
the message. Don't think a mail would be sent, that might be too late.
Everyone logged on
Emergency messages often go to all users currently online to notify them that something
strange is happening with the system. To specify this wall(1)-feature use an asterisk
(``*'').
EXAMPLES
Here are some example, partially taken from a real existing site and configuration. Hope-
fully they rub out all questions to the configuration, if not, drop me (Joey) a line.
# Store critical stuff in critical
#
*.=crit;kern.none /var/adm/critical
This will store all messages with the priority crit in the file /var/adm/critical, except
for any kernel message.
# Kernel messages are first, stored in the kernel
# file, critical messages and higher ones also go
# to another host and to the console
#
kern.* /var/adm/kernel
kern.crit @finlandia
kern.crit /dev/console
kern.info;kern.!err /var/adm/kernel-info
The first rule direct any message that has the kernel facility to the file /var/adm/ker-
nel.
The second statement directs all kernel messages of the priority crit and higher to the
remote host finlandia. This is useful, because if the host crashes and the disks get ir-
reparable errors you might not be able to read the stored messages. If they're on a re-
mote host, too, you still can try to find out the reason for the crash.
The third rule directs these messages to the actual console, so the person who works on
the machine will get them, too.
The fourth line tells the syslogd to save all kernel messages that come with priorities
from info up to warning in the file /var/adm/kernel-info. Everything from err and higher
is excluded.
# The tcp wrapper loggs with mail.info, we display
# all the connections on tty12
#
mail.=info /dev/tty12
This directs all messages that uses mail.info (in source LOG_MAIL | LOG_INFO) to
/dev/tty12, the 12th console. For example the tcpwrapper tcpd(8) uses this as it's de-
fault.
# Store all mail concerning stuff in a file
#
mail.*;mail.!=info /var/adm/mail
This pattern matches all messages that come with the mail facility, except for the info
priority. These will be stored in the file /var/adm/mail.
# Log all mail.info and news.info messages to info
#
mail,news.=info /var/adm/info
This will extract all messages that come either with mail.info or with news.info and store
them in the file /var/adm/info.
# Log info and notice messages to messages file
#
*.=info;*.=notice;\
mail.none /var/log/messages
This lets the syslogd log all messages that come with either the info or the notice facil-
ity into the file /var/log/messages, except for all messages that use the mail facility.
# Log info messages to messages file
#
*.=info;\
mail,news.none /var/log/messages
This statement causes the syslogd to log all messages that come with the info priority to
the file /var/log/messages. But any message coming either with the mail or the news fa-
cility will not be stored.
# Emergency messages will be displayed using wall
#
*.=emerg *
This rule tells the syslogd to write all emergency messages to all currently logged in
users. This is the wall action.
# Messages of the priority alert will be directed
# to the operator
#
*.alert root,joey
This rule directs all messages with a priority of alert or higher to the terminals of the
operator, i.e. of the users ``root'' and ``joey'' if they're logged in.
*.* @finlandia
This rule would redirect all messages to a remote host called finlandia. This is useful
especially in a cluster of machines where all syslog messages will be stored on only one
machine.
CONFIGURATION FILE SYNTAX DIFFERENCES
Syslogd uses a slightly different syntax for its configuration file than the original BSD
sources. Originally all messages of a specific priority and above were forwarded to the
log file. The modifiers ``='', ``!'' and ``-'' were added to make the syslogd more flex-
ible and to use it in a more intuitive manner.
The original BSD syslogd doesn't understand spaces as separators between the selector and
the action field.
FILES
/etc/syslog.conf
Configuration file for syslogd
BUGS
The effects of multiple selectors are sometimes not intuitive. For example
``mail.crit,*.err'' will select ``mail'' facility messages at the level of ``err'' or
higher, not at the level of ``crit'' or higher.
SEE ALSO
sysklogd(8), klogd(8), logger(1), syslog(2), syslog(3)
AUTHORS
The syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com) performed
the port to Linux, Martin Schulze (joey@linux.de) made some bugfixes and added some new
features.
Version 1.3 1 January 1998 SYSLOG.CONF(5)
|
