syslogd(8)syslogd(8)NAMEsyslogd - Logs system messages
SYNOPSIS
/usr/sbin/syslogd [-b rcv-buf-size] [-d] [-e] [-E] [-f cfg-file] [-m
mk-interval] [-p path] [-r] [-R] [-s]
OPTIONS
Specifies the size in Kbytes of the socket receive buffer. The default
and maximum is 128 Kb. If you attempt to specify a larger size buffer
it is automatically reduced to 128 Kb. Setting the buffer to a small
value could result in messages being lost during periods of high log‐
ging activity. Turns on the debugging feature. Specifies that events
are to be posted to the Event Manager, EVM. This is the default behav‐
ior and the syslogd daemon always restarts in event forwarding mode
unless you specify the -E option. Turns off the default posting of
events to the Event Manager, EVM. Specifies an alternate configuration
file. Specifies the mark interval. Specifies the pathname of the UNIX
domain socket to be used in making connections to the syslogd daemon.
The default is /dev/log. You should not change this default in normal
operation because the client functions syslog and openlog. See sys‐
log(3) and openlog(3) reference pages. Allows the syslogd daemon to
create an inet port for remote access. This is the default behavior.
Use the -R option to prevent the syslogd daemon from creating an inet
port. If you specify the -r and -R options together, the last one
specified takes precedence. Prevents the syslogd daemon from creating
an inet port. Using the -R option prevents all remote access. Remote
systems cannot send messages to be logged locally, and the local daemon
cannot send messages to be logged remotely. If you specify the -r and
-R options together, the last one specified takes precedence. Disables
the posting of events to the console.
DESCRIPTION
The syslogd daemon reads and logs messages to a set of files described
in the /etc/syslog.conf configuration file.
Each message logged consists of one line. A message can contain a pri‐
ority code, marked by a number in angle braces at the beginning of the
line. Priorities are defined in the /usr/include/sys/syslog_pri.h file.
The syslogd daemon reads from the domain socket /dev/log, from an
Internet domain socket specified in /etc/services, and from the special
device /dev/klog, which reads kernel messages. The syslogd daemon con‐
figures when it starts up and when it receives a hangup (SIGHUP) sig‐
nal. To reconfigure the daemon, use the ps command to identify the
daemon's process identifier (PID) and then use the following command: #
kill -HUP pid
(The PID of the daemon is also recorded in /var/run/syslog.pid). This
command causes the daemon to read the revised configuration file.
The /etc/syslog.conf file contains entries that specify the facility
(the part of the system that generated the error), the error message
severity level, and the destination to which the syslogd daemon sends
the messages. Each line of the /etc/syslog.conf file contains an
entry.
The following is an example of an /etc/syslog.conf file:
# # syslogd config file # # facilities: kern user mail daemon auth sys‐
log lpr binary # priorities: emerg alert crit err warning notice info
debug kern.debug /var/adm/syslog/kern.log user.debug
/var/adm/syslog/user.log daemon.debug /var/adm/syslog/dae‐
mon.log auth.debug /var/adm/syslog/auth.log syslog.debug
/var/adm/syslog/syslog.log mail,lpr.debug /var/adm/sys‐
log/misc.log binary.err /var/adm/binary.errlog msgbuf.err
/var/adm/crash/msgbuf.savecore kern.debug /var/adm/mes‐
sages kern.debug /dev/console *.emerg *
The facility and its severity level must be separated by a period (.).
You can specify more than one facility on a line by separating them
with commas. You can specify more than one facility and severity level
on a line by separating them with semicolons.
The facility and its severity level must be separated from the destina‐
tion by one or more tab characters or spaces.
If you specify an asterisk (*) for a facility, messages generated by
all parts of the system are logged. All messages of the specified level
and of a greater severity are logged. Blank lines and lines beginning
with # (number sign) are ignored.
For example:
*.emerg;mail,daemon.crit /var/adm/syslog/misc.log
This line logs all facilities at the emerg level (and higher) and the
mail and daemon facilities at the crit (or higher) level to the
/var/adm/syslog/misc.log destination file.
Known facilities and levels recognized by the syslogd daemon are those
listed in /usr/include/sys/syslog_pri.h without the leading LOG_. The
additional facility mark has a message at priority LOG_INFO sent to it
every 20 minutes (this may be changed with the -m option). The mark
facility is not enabled by a facility field containing an * (asterisk).
The level none may be used to disable a particular facility. For exam‐
ple:
*.debug;mail.none /var/adm/syslog/misc.log
The previous entry sends all messages except mail messages to the
/var/adm/syslog/misc.log file.
There are four possibilities for the message destination: A filename
that begins with a leading / (slash). The syslogd daemon will open the
file in append mode. A hostname preceded by an @ (at sign). Selected
messages are forwarded to the syslogd daemon on the named host. A
comma separated list of users. Selected messages are written to those
users if they are logged in. An * (asterisk). Selected messages are
written to all users who are logged in.
For example:
kern,mark.debug /dev/console *.notice;mail.info /var/adm/sys‐
log/mail *.crit /var/adm/syslog/critical kern.err @ucbarpa
*.emerg * *.alert eric,kridle *.alert;auth.warning ralph
The preceding configuration file logs messages as follows: Logs all
kernel messages and 20 minute marks onto the system console Logs all
notice (or higher) level messages and all mail system messages except
debug messages into the file /var/adm/syslog/mail Logs all critical
messages into the /var/adm/syslog/critical file Forwards kernel mes‐
sages of error severity or higher to ucbarpa. Informs all users of any
emergency messages, informs users eric and kridle of any alert mes‐
sages, and informs user ralph of any alert message or any warning mes‐
sage (or higher) from the authorization system.
Destinations for logged messages can be specified with full pathnames
that begin with a leading / (slash). The syslogd daemon then opens the
specified file(s) in append mode. If the pathname to a syslogd daemon
log file that is specified in the syslog.conf file as a /var/adm/sys‐
log.dated/file, the syslogd daemon inserts a date directory, and thus
produces a day-by-day account of the messages received, directly above
file in the directory structure. Typically, you will want to divert
messages separately, according to facility, into files such as
kern.log, mail.log, lpr.log, and debug.log. The file /var/adm/sys‐
log.dated/current is a link to the most recent log file directory.
If some pathname other than /var/adm/syslog.dated/file is specified as
the pathname to the logfile, the syslogd daemon does not create the
daily date directory. For example, if you specify /var/adm/sys‐
log/mail.log (without the suffix after syslog), the syslogd daemon sim‐
ply logs messages to the mail.log file and allows this file to grow
indefinitely.
The syslogd daemon can recover the messages in the kernel syslog buffer
that were not logged to the files specified in the /etc/syslog.conf
file because a system crash occurred. The savecore command copies the
buffer recovered from the dump to the file specified in the "msg‐
buf.err" entry in the /etc/syslog.conf file. When the syslogd daemon
starts up, it looks for this file and, if it exists, processes and then
deletes the file.
Configuration
The syslogd daemon acts as a central routing facility for messages
whose formats are determined by the programs that produce them.
The syslogd daemon creates the /var/run/syslog.pid file if possible.
The file contains a single line with its process ID. This can be used
to kill or reconfigure the syslogd daemon. For example, if you modify
the syslog.conf file and you want to implement the changes, use the
following command:
# kill -HUP `cat /var/run/syslog.pid`
If a syslog.conf configuration file does not exist, the syslogd daemon
uses the following defaults:
*.ERR /dev/console *.PANIC *
The defaults log all error messages to the console and all panic mes‐
sages (from the kernel) to all logged-in users. No files are written.
To turn off printing of syslog messages to the console, please refer to
the syslog(1) reference page.
Remote Message Forwarding
The syslog has a remote message forwarding function. As a security
feature, this capability is turned off by default. If you intend to
configure other hosts to forward syslog messages to a local host, use
the su command to become superuser (root) and manually create the
/etc/syslog.auth file using a text editor on the local host.
The /etc/syslog.auth file specifies which remote hosts are allowed to
forward syslog messages to the local host. Unless the domain host name
of a remote host is given in the local /etc/syslog.auth file, the local
host will not log any messages from that remote host. Note that if no
/etc/syslog.auth file exists on the local host, then any remote hosts
that can establish a network connection will be able to log messages.
See the syslog.auth(4) reference page for information.
Event Management
By default, the syslogd daemon initializes with the -e option, and its
events are forwarded to the Event Management utility (EVM). If the
syslogd daemon is restarted, event fowarding also restarts by default.
If you do not want event forwarding to restart automatically, you can
turn it off using the -E option.
Messages from the syslogd daemon are converted to EVM events and noti‐
fied to the EVM daemon. Refer to the EVM(5) reference page and System
Administration for more information on EVM.
FILES
Specifies the command path Configuration file. Process ID. Specifies
what remote hosts can forward messages to the local host. Contains
configuration information that specifies what syslogd messages will be
forwarded to the Event Manager, EVM. Enables and disables printing to
the console device. The name of the domain datagram log socket. Ker‐
nel log device. The directory where daily log subdirectories reside.
A link to the directory containing the most recent daily log files.
SEE ALSO
Commands: logger(1), syslog(1), savecore(8).
Functions: syslog(3), openlog(3).
Files: syslog.auth(4), syslog.conf(4), syslog_evm.conf(4).
Other: EVM(5).
Network Administration: Connections, Network Administration: Services,
and System Administration.
syslogd(8)
