Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SYSLOG.CONF(5)		      File Formats Manual		SYSLOG.CONF(5)

NAME
       syslog.conf -- syslogd(8) configuration file

DESCRIPTION
       The  syslog.conf	file is	the configuration file for the syslogd(8) pro-
       gram.  It consists of blocks of lines separated by  program  specifica-
       tions,  with  each line containing two fields: the selector field which
       specifies the types of messages and priorities to which	the  line  ap-
       plies,  and an action field which specifies the action to be taken if a
       message syslogd receives	matches	the selection criteria.	 The  selector
       field  is separated from	the action field by one	or more	tab characters
       or spaces.

       Note that if you	use spaces as separators, your	syslog.conf  might  be
       incompatible  with other	Unices or Unix-like systems.  This functional-
       ity was added for the ease of configuration (e.g.  it  is  possible  to
       cut-and-paste  into syslog.conf ), and to avoid possible	mistakes. This
       change however preserves	backwards compatibility	with the old style  of
       the syslog.conf (i.e. tab characters only).

       The  Selectors  function	 are encoded as	a facility, a period ("."), an
       optional	set of comparison flags	([<=>]), and a level, with  no	inter-
       vening  white-space.  Both the facility and the level are case insensi-
       tive.

       The facility describes the part of the system generating	 the  message,
       and  is	one  of	 the following keywords: auth, authpriv, cron, daemon,
       ftp, kern, lpr, mail, mark, news, ntp, syslog, user,  uucp  and	local0
       through local7.	These keywords (with the exception of mark) correspond
       to  the similar "LOG_" values specified to the openlog(3) and syslog(3)
       library routines.

       The comparison flags may	be used	to specify  exactly  what  is  logged.
       The  default  set of comparison flags are "=>" (or, if you prefer, ">="
       ), which	means that messages from the specified facility	list of	a pri-
       ority level equal or greater than level will be logged.

       The level describes the severity	of the message,	and is a keyword  from
       the  following ordered list (higher to lower): emerg, alert, crit, err,
       warning,	notice,	info and debug.	 These keywords	correspond to the sim-
       ilar "LOG_" values specified to the syslog library routine.

       Each block of lines is separated	from the previous block	by a tag.  The
       tag is a	line beginning with #!prog or !prog (the former	is for compat-
       ibility with the	previous syslogd, if one is sharing syslog.conf	files,
       for  example)  and  each	 block will be associated with calls to	syslog
       from that specific program. A tag for ``foo'' will also match any  mes-
       sage logged by the kernel with the prefix ``foo:	''.

       See syslog(3) for a further descriptions	of both	the facility and level
       keywords	and their significance.	It's preferred that selections be made
       on  facility rather than	program, since the latter can easily vary in a
       networked environment. In some cases, though, an	 appropriate  facility
       simply doesn't exist.

       If  a  received	message	 matches  the specified	facility and is	of the
       specified level (or a higher level), and	the first word in the  message
       after  the date matches the program, the	action specified in the	action
       field will be taken.

       Multiple	selectors may be specified for a single	action	by  separating
       them  with  semicolon  (";") characters.	 It is important to note, how-
       ever, that each selector	can modify the ones preceding it.

       Multiple	facilities may be specified for	a single level	by  separating
       them with comma (",") characters.

       An  asterisk  ("*") can be used to specify all facilities all levels or
       all programs.

       The special facility "mark" receives a message at priority "info" every
       20 minutes (see syslogd(8)).  This is not enabled by a  facility	 field
       containing an asterisk.

       The special level "none"	disables a particular facility.

       The action field	of each	line specifies the action to be	taken when the
       selector	field selects a	message.  There	are five forms:

          A pathname (beginning with a	leading	slash).	 Selected messages are
	   appended to the file.

          A  hostname	(preceded by an	at ("@") sign).	 Selected messages are
	   forwarded to	the syslogd program on the named host.

          A comma separated list of users.  Selected messages are written  to
	   those users if they are logged in.

          An asterisk.	 Selected messages are written to all logged-in	users.

          A  vertical	bar  ("|"), followed by	a command to pipe the selected
	   messages to.	 The command is	passed to a /bin/sh for	evaluation, so
	   usual shell metacharacters or input/output redirection  can	occur.
	   (Note  however  that	 redirecting stdio(3) buffered output from the
	   invoked command can cause additional	delays,	or  even  lost	output
	   data	 in case a logging subprocess exited with a signal.)  The com-
	   mand	itself runs with stdout	and stderr  redirected	to  /dev/null.
	   Upon	 receipt  of  a	SIGHUP,	syslog.conf will close the pipe	to the
	   process.  If	the process didn't exit	voluntarily, it	will be	sent a
	   SIGTERM signal after	a grace	period of up to	60 seconds.

	   The command will only be started once data arrives that  should  be
	   piped  to  it.   If it exited later,	it will	be restarted as	neces-
	   sary.  So if	it is desired that the subprocess should  get  exactly
	   one	line  of  input	 only (which can be very resource-consuming if
	   there are a lot of messages flowing quickly), this can be  achieved
	   by  exiting	after  just one	line of	input.	If necessary, a	script
	   wrapper can be written to this effect.

	   Unless the command is a full	 pipeline,  it's  probably  useful  to
	   start the command with exec so that the invoking shell process does
	   not	wait  for  the	command	 to complete.  Warning:	the process is
	   started under the UID invoking syslogd(8), normally the superuser.

       Blank lines and lines whose first non-blank character is	a  hash	 ("#")
       character are ignored.

EXAMPLES
       A configuration file might appear as follows:

       # Log all kernel	messages, authentication messages of
       # level notice or higher	and anything of	level err or
       # higher	to the console.
       # Don't log private authentication messages!
       *.err;kern.*;auth.notice;authpriv.none  /dev/console

       # Log anything (except mail) of level info or higher.
       # Don't log private authentication messages!
       *.info;mail.none;authpriv.none	       /var/log/messages

       # Log daemon messages at	debug level only
       daemon.=debug					       /var/log/daemon.debug

       # The authpriv file has restricted access.
       authpriv.*					       /var/log/secure

       # Log all the mail messages in one place.
       mail.*						       /var/log/maillog

       # Everybody gets	emergency messages, plus log them on another
       # machine.
       *.emerg						       *
       *.emerg						       @arpa.berkeley.edu

       # Root and Eric get alert and higher messages.
       *.alert						       root,eric

       # Save mail and news errors of level err	and higher in a
       # special file.
       uucp,news.crit					       /var/log/spoolerr

       # Pipe all authentication messages to a filter.
       auth.*				       |exec /usr/local/sbin/authfilter

       # Save ftpd transactions	along with mail	and news
       !ftpd
       *.*						       /var/log/spoolerr

       # Log kernel firewall reports to	a separate file
       !ipfw
       *.*						       /var/log/ipfw

FILES
       /etc/syslog.conf	 syslogd(8) configuration file

BUGS
       The effects of multiple selectors are sometimes not intuitive.  For ex-
       ample  "mail.crit,*.err"	 will  select  "mail" facility messages	at the
       level of	"err" or higher, not at	the level of "crit" or higher.

       In networked environments, note that not	all operating  systems	imple-
       ment  the  same set of facilities.  The facilities authpriv, cron, ftp,
       and ntp that are	known to this implementation might be  absent  on  the
       target  system.	Even worse, DEC	UNIX uses facility number 10 (which is
       authpriv	in this	implementation)	to log events  for  their  AdvFS  file
       system.

SEE ALSO
       syslog(3), syslogd(8)

GNU				 June 9, 1993			SYSLOG.CONF(5)

NAME | DESCRIPTION | EXAMPLES | FILES | BUGS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=syslog.conf&manpath=FreeBSD+3.1-RELEASE>

home | help