FreeBSD Manual Pages
SYSLOG.CONF(5) File Formats Manual SYSLOG.CONF(5) NAME syslog.conf -- syslogd(8) configuration file DESCRIPTION The syslog.conf file is the configuration file for the syslogd(8) pro- gram. It consists of blocks of lines separated by program and hostname specifications (separations appear alone on their lines), with each line containing two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies the action to be taken if a message syslogd(8) receives matches the selection criteria. The selector field is separated from the action field by one or more tab characters or spaces. Note that if you use spaces as separators, your syslog.conf might be incompatible with other Unices or Unix-like systems. This functional- ity was added for ease of configuration (e.g. it is possible to cut- and-paste into syslog.conf), and to avoid possible mistakes. This change however preserves backwards compatibility with the old style of syslog.conf (i.e., tab characters only). The selectors are encoded as a facility, a period ("."), an optional set of comparison flags ([!] [<=>]), and a level, with no intervening white-space. Both the facility and the level are case insensitive. The facility describes the part of the system generating the message, and is one of the following keywords: auth, authpriv, console, cron, daemon, ftp, kern, lpr, mail, mark, news, ntp, security, syslog, user, uucp, and local0 through local7. These keywords (with the exception of mark) correspond to similar "LOG_" values specified to the openlog(3) and syslog(3) library routines. The comparison flags may be used to specify exactly what is logged. The default comparison is "=>" (or, if you prefer, ">="), which means that messages from the specified facility list, and of a priority level equal to or greater than level will be logged. Comparison flags begin- ning with "!" will have their logical sense inverted. Thus "!=info" means all levels except info and "!notice" has the same meaning as "<notice". The level describes the severity of the message, and is a keyword from the following ordered list (higher to lower): emerg, crit, alert, err, warning, notice, info and debug. These keywords correspond to similar "LOG_" values specified to the syslog(3) library routine. Each block of lines is separated from the previous block by a program or hostname specification. A block will only log messages correspond- ing to the most recent program and hostname specifications given. Thus, with a block which selects `ppp' as the program, directly fol- lowed by a block that selects messages from the hostname `dialhost', the second block will only log messages from the ppp(8) program on di- alhost. A program specification is a line beginning with `#!prog' or `!prog' (the former is for compatibility with the previous syslogd, if one is sharing syslog.conf files, for example) and the following blocks will be associated with calls to syslog(3) from that specific program. A program specification for `foo' will also match any message logged by the kernel with the prefix `foo: '. The `#!+prog' or `!+prog' specifi- cation works just like the previous one, and the `#!-prog' or `!-prog' specification will match any message but the ones from that program. Multiple programs may be listed, separated by commas: `!prog1,prog2' matches messages from either program, while `!-prog1,prog2' matches all messages but those from `prog1' or `prog2'. A hostname specification of the form `#+hostname' or `+hostname' means the following blocks will be applied to messages received from the specified hostname. Alternatively, the hostname specification `#-hostname' or `-hostname' causes the following blocks to be applied to messages from any host but the one specified. If the hostname is given as `@', the local hostname will be used. As for program specifi- cations, multiple comma-separated values may be specified for hostname specifications. A program or hostname specification may be reset by giving the program or hostname as `*'. See syslog(3) for further descriptions of both the facility and level keywords and their significance. It is preferred that selections be made on facility rather than program, since the latter can easily vary in a networked environment. In some cases, though, an appropriate facility simply does not exist. If a received message matches the specified facility and is of the specified level (or a higher level), and the first word in the message after the date matches the program, the action specified in the action field will be taken. Multiple selectors may be specified for a single action by separating them with semicolon (";") characters. It is important to note, how- ever, that each selector can modify the ones preceding it. Multiple facilities may be specified for a single level by separating them with comma (",") characters. An asterisk ("*") can be used to specify all facilities, all levels, or all programs. The special facility "mark" receives a message at priority "info" every 20 minutes (see syslogd(8)). This is not enabled by a facility field containing an asterisk. The special level "none" disables a particular facility. The action field of each line specifies the action to be taken when the selector field selects a message. There are five forms: • A pathname (beginning with a leading slash). Selected messages are appended to the file. To ensure that kernel messages are written to disk promptly, syslog.conf calls fsync(2) after writing messages from the kernel. Other messages are not synced explicitly. You may prefix a path- name with the minus sign, "-", to forego syncing the specified file after every kernel message. Note that you might lose information if the system crashes immediately following a write attempt. Nev- ertheless, using the "-" option may improve performance, especially if the kernel is logging many messages. • A hostname (preceded by an at ("@") sign). Selected messages are forwarded to the syslogd(8) program on the named host. If a port number is added after a colon (`:') then that port will be used as the destination port rather than the usual syslog port. IPv6 ad- dresses can be used by surrounding the address portion with square brackets (`[' and `]'). • A comma separated list of users. Selected messages are written to those users if they are logged in. • An asterisk. Selected messages are written to all logged-in users. • A vertical bar ("|"), followed by a command to pipe the selected messages to. The command is passed to sh(1) for evaluation, so usual shell metacharacters or input/output redirection can occur. (Note however that redirecting stdio(3) buffered output from the invoked command can cause additional delays, or even lost output data in case a logging subprocess exited with a signal.) The com- mand itself runs with stdout and stderr redirected to /dev/null. Upon receipt of a SIGHUP, syslogd(8) will close the pipe to the process. If the process did not exit voluntarily, it will be sent a SIGTERM signal after a grace period of up to 60 seconds. The command will only be started once data arrives that should be piped to it. If it exited later, it will be restarted as neces- sary. So if it is desired that the subprocess should get exactly one line of input only (which can be very resource-consuming if there are a lot of messages flowing quickly), this can be achieved by exiting after just one line of input. If necessary, a script wrapper can be written to this effect. Unless the command is a full pipeline, it is probably useful to start the command with exec so that the invoking shell process does not wait for the command to complete. Warning: the process is started under the UID invoking syslogd(8), normally the superuser. Blank lines and lines whose first non-blank character is a hash ("#") character are ignored. If `#' is placed in the middle of the line, the `#' character and the rest of the line after it is ignored. To prevent special meaning, the `#' character may be escaped with `\'; in this case preceding `\' is removed and `#' is treated as an ordinary charac- ter. IMPLEMENTATION NOTES The "kern" facility is usually reserved for messages generated by the local kernel. Other messages logged with facility "kern" are usually translated to facility "user". This translation can be disabled; see syslogd(8) for details. FILES /etc/syslog.conf syslogd(8) configuration file EXAMPLES A configuration file might appear as follows: # Log all kernel messages, authentication messages of # level notice or higher, and anything of level err or # higher to the console. # Don't log private authentication messages! *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # Log daemon messages at debug level only daemon.=debug /var/log/daemon.debug # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Everybody gets emergency messages, plus log them on another # machine. *.emerg * *.emerg @arpa.berkeley.edu # Root and Eric get alert and higher messages. *.alert root,eric # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spoolerr # Pipe all authentication messages to a filter. auth.* |exec /usr/local/sbin/authfilter # Log all security messages to a separate file. security.* /var/log/security # Log all writes to /dev/console to a separate file. console.* /var/log/console.log # Save ftpd transactions along with mail and news !ftpd *.* /var/log/spoolerr # Log ipfw messages without syncing after every message. !ipfw *.* -/var/log/ipfw SEE ALSO syslog(3), syslogd(8) BUGS The effects of multiple selectors are sometimes not intuitive. For ex- ample "mail.crit,*.err" will select "mail" facility messages at the level of "err" or higher, not at the level of "crit" or higher. In networked environments, note that not all operating systems imple- ment the same set of facilities. The facilities authpriv, cron, ftp, and ntp that are known to this implementation might be absent on the target system. Even worse, DEC UNIX uses facility number 10 (which is authpriv in this implementation) to log events for their AdvFS file system. FreeBSD 10.1 September 12, 2012 SYSLOG.CONF(5)
NAME | DESCRIPTION | IMPLEMENTATION NOTES | FILES | EXAMPLES | SEE ALSO | BUGS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=syslog.conf&sektion=5&manpath=FreeBSD+10.1-RELEASE+and+Ports>