syslogd(1M)syslogd(1M)NAMEsyslogd - log systems messages
SYNOPSIS
/usr/etc/syslogd [ -fconfigfile ] [ -mmarkinterval ] [ -plogpipe ]
[ -d ] [ -a mask,match | -a match ] [-A]
[ -P port_number | -N ]
DESCRIPTIONsyslogd reads and logs messages into a set of files described by the
configuration file /etc/syslog.conf. Each message is one line. A
message can contain a priority code, marked by a number in angle braces
at the beginning of the line. Priorities are defined in <sys/syslog.h>.
syslogd reads from the stream device /dev/log, from an Internet domain
socket specified in /etc/services, and from the special device /dev/klog
(to read kernel messages).
syslogd reads its configuration when it starts up and whenever it
receives a hangup signal. Lines in the configuration file have a
selector to determine the message priorities to which the line applies
and an action. The action fields are separated from the selector by one
or more tabs. A maximum of 50 lines can be specified. It is recommended
that no more than 49 be used, or the LOG_LFMT facility may not work
correctly; this facility is used by login(1), among other programs.
Selectors are semicolon separated lists of priority specifiers. Each
priority has a facility describing the part of the system that generated
the message, a dot, and a level indicating the severity of the message.
Symbolic names can be used. An asterisk (*) selects all facilities,
while debug selects all levels. All messages of the specified level or
higher (greater severity) are selected. More than one facility can be
selected, using commas to separate them. For example:
*.emerg;mail,daemon.crit
selects all facilities at the emerg level and the mail and daemon
facilities at the crit level.
Known facilities and levels recognized by syslogd are those listed in
syslog(3C) without the leading LOG_. The additional facility mark logs
messages at priority LOG_INFO every 20 minutes (this interval can be
changed with the -m flag). The mark facility is not enabled by a
facility field containing an asterisk. The level none can be used to
disable a particular facility. For example:
*.debug;mail.none
sends all messages except mail messages to the selected file.
The second part of each line describes where the message is to be logged
if this line is selected. There are five forms:
Page 1
syslogd(1M)syslogd(1M)
o A filename (beginning with a leading slash). The file is opened in
append mode.
o A hostname preceded by an at sign (@). Selected messages are
forwarded to the syslogd on the named host.
o A comma-separated list of users. Selected messages are written to
those users if they are logged in.
o An asterisk. Selected messages are written to all logged-in users.
o A |, followed immediately by a program name, which is taken to be all
chars after the | up to the next tab; at least one action must follow
the tab. The filter is expected to read stdin and write the filtered
response to stdout. The filter receives the source and message
through stdin. A filter can also access the priority, facility, and
hostname via environmental variables: PRIORITY, FACILITY, and FROM.
The values are stored as strings defined in <sys/syslog.h>. If the
filter exits with a non-zero value, the original message is logged, as
well as a message that the filter failed. The filter has a limited
time (currently eight seconds) to process the message. If the filter
exits with status 0 without writing any data, no message is logged.
The data to be read by the filter is not terminated with a newline,
nor should the data written have a newline appended. See below for a
sample filter.
Blank lines and lines beginning with # are ignored.
For example, the configuration file:
kern.debug |/usr/sbin/klogpp /var/adm/SYSLOG
kern.debug |/usr/sbin/klogpp /dev/console
user,mail,daemon,auth,syslog,lpr.debug /var/adm/SYSLOG
kern.err @ginger
*.emerg *
*.alert eric,beth
*.alert;auth.warning ralph
filters all kernel messages through klogpp(1M) and writes them to the
system console and into /var/adm/SYSLOG and logs debug (or higher) level
messages into the file /var/adm/SYSLOG. Kernel messages of error
severity or higher are forwarded to ginger. All users are informed of
any emergency messages. The users eric and beth are informed of any
alert messages. The user ralph is informed of any alert message or any
warning message (or higher) from the authorization system.
syslogd is started at system initialization from /etc/init.d/sysetup.
Optional site-specific flags belong in /etc/config/syslogd.options. The
flags are:
Page 2
syslogd(1M)syslogd(1M)-fconfigfile Specify an alternate configuration file.
-mmarkinterval Select the number of minutes between mark messages.
-d Turn on debugging. syslogd runs in the foreground and
writes debugging information to stdout.
-plogpipe Use the given name for the device instead of /dev/log.
Unless specified otherwise by the -P option, syslogd use UDP port defined
by 'syslog' entry in /etc/services ( or NIS ) to send ( when @host is
used in the configuration file ) and receive syslog data from other
hosts. There are no restriction for the list of forwarding hosts.
However, to restrict the list of hosts ( or networks ) allowed to send
message to syslog, use only one of the following methods:
o -N, disabling receiving anything
o a combination of -a or -A specifications.
-a mask,match
-a match
This option defines which hosts ( or subsets ) are allowed to send
messages to syslog. The mask, and match arguments are IP addresses in
Internet dot notation (see inet(3N)) that represent masks, hosts or
networks. The mask and match arguments must be separated by a comma
with no intervening whitespace. If mask and the comma are missing,
the argument is interpreted as a Class A, B, or C network number and
the mask is set to the value appropriate for the network's class.
The -a option can be repeated up to 50 times. For each mask and match
specified, the requesting client host's address is logically-ANDed
with mask; if the result equals match, the client's request is
processed. If none of the mask-match comparisons succeed, the request
is rejected. Requests from all of the local host's addresses are
always permitted.
For example, if /etc/config/syslogd.options contains
-a 255.255.255.0,128.32.199.0
-a 192.0.2.0
-a 255.255.255.255,192.26.51.3
access is restricted to any host on the Class B 128.32.199 subnet or
the Class C 192.0.2 network or to the host with the 192.26.51.3
address. Requests from clients on any other networks are rejected.
-A This option is equivalent to a series of -a options listing all of the
addresses of interfaces on the machine, with their netmasks. It is
convenient for authorizing hosts on directly connected networks and
point-to-point links without explicitly enumerating the networks. The
restrictions defined by -A do not count against the limit of 50 -a
Page 3
syslogd(1M)syslogd(1M)
options.
-N This option disable receiving network data on UDP port defined by
'syslog' in /etc/services ( or NIS ) or by the -P option below.
However, sending data ( forwarding ) is still available and will
*emit* from any UDP port. NOTE: When -N is not active, syslog use the
'syslog' port /etc/services ( or NIS ) or by the -P option below. This
port is used in both directions, for receiving and sending data. This
is in compliance of RFC3164.
-P port number
This option allows listening on UDP port different than the default (
514 ).
syslogd rereads its configuration file when it receives a hangup signal,
SIGHUP. To bring syslogd down, send it a terminate signal (for example,
killall -TERM syslogd).
SECURITY CONSIDERATIONSsyslogd creates log files in mode 644 which allows general read access.
If the log file already exists, its permissions are unchanged. The
system administrator may wish to create separate log files with more
restricted permissions for sensitive information such as LOG_AUTH
messages. Scripts or cron(1M) jobs that roll (that is save and restart
with a new file) these sensitive log files should ensure that the new log
file has the desired permissions.
FILTER EXAMPLE
This example shows how to use the filter mechanism. To have ftpd(1M)
messages logged in a different file, add the following line to
/etc/syslog.conf:
daemon,auth.debug |/var/adm/ftpd.filt /var/adm/ftpd.log
The /var/adm/ftpd.filt file is a shell script:
#!/bin/sh
# This filter only accepts ftpd messages
read line
set $line
case "$1" {
ftpd\[*)
echo "$line\c"
exit 0
;;
}
exit 0
Page 4
syslogd(1M)syslogd(1M)MESSAGE EXAMPLE
The following is an example line from the /var/adm/SYSLOG file:
Aug 10 10:32:53 6F:sgihost syslogd: restart
Each line has several parts. The date and time of the message are listed
first, followed by a priority and facility code. Priorities are listed
as 0-7 and facilities are listed as A-T. Reference <sys/syslog.h>. The
source is the name of the program that generated the message. Following
the source is the message itself.
NOTES
IP filtering options flags ( -N, -P, -A and -a ) were introduced in IRIX
6.5.15 and are not available in earlier releases.
FILES
/etc/syslog.conf default configuration file
/dev/log device read by syslogd
/dev/klog the kernel log device
/usr/sbin/klogpp filter for kernel messages
/etc/config/syslogd.options command-line flags used at system startup
SEE ALSOlogger(1), sysmon(1M), syslog(3C).
Page 5