File: inetutils.info, Node: syslogd invocation, Next: ftpd invocation, Prev: inetd invocation, Up: Top 20 'syslogd': system service logging faclity ******************************************** 'syslogd' is a system service that provides error logging facility. Messages are read from the UNIX domain socket '/dev/log', from an Internet domain socket specified in '/etc/services', and from the special device '/dev/klog' (to read kernel messages). 'syslogd' creates the file '/var/run/syslog.pid', and stores its process id there. This can be used to kill or reconfigure 'syslogd'. The message sent to 'syslogd' should consist of a single line. The message can contain a priority code, which should be a preceding decimal number in angle braces, for example, '<5>'. This priority code should map into the priorities defined in the include file 'sys/syslog.h'. syslogd [OPTIONS]... '-f FILE' '--rcfile=FILE' Override configuration (the default file is '/etc/syslog.conf'). '-D DIR' '--rcdir=DIR' Override configuration directory (the default is '/etc/syslog.d'). '-P FILE' '--pidfile=FILE' Override pidfile (the default file is '/var/run/syslogd.pid'). '-n' '--no-detach' Do not enter daemon mode. '-d' '--debug' Print debug information (implies '-n'). '-p FILE' '--socket=FILE' Override default UNIX domain socket '/dev/log'. '-a SOCKET' Add UNIX socket to listen. An unlimited number of sockets is allowed. '-r' '--inet' Receive remote messages via Internet domain socket. Without this option no remote massages are received, since there is no listening socket. Yet sockets for forwarding are created on the fly as needed, which might cause performance issues on busy systems. '-b ADDRESS' '--bind=ADDRESS' Restrict the listening Internet domain socket to a single address. The default (given the use of '-r') is a wildcard address, implying that the server listens at every available address. Any name will be resolved, and the lookup result will depend on the options '-4', '-6', and '--ipany'. '--no-unixaf' Do not listen on UNIX domain sockets (overrides '-a' and '-p'). '--no-klog' Do not listen to the kernel log device '/dev/klog'. '--ipany' Allow both address families: IPv4 and IPv6. '-4' '--ipv4' Use only IPv4 for Internet domain sockets. '-6' '--ipv6' Use only IPv6 for Internet domain sockets. '--no-forward' Do not forward any messages (overrides '-h'). This disables even temporary creation of forwarding sockets, an ability which is otherwise active when the option '-r' is left out. '-h' '--hop' Forward messages from remote hosts. '-m INTERVAL' '--mark=INTERVAL' Specify timestamp interval expressed in minutes (0 for no timestamping). '-l HOSTLIST' Log hosts in HOSTLIST by their hostname. Multiple lists are allowed. '-s DOMAINLIST' List of domains which should be stripped from the FQDN of hosts before logging their name. Multiple lists are allowed. '-T' '--local-time' Ignore any time contained in a received message. In its stead, record the time of reception on the local system. This circumvents problems caused by remote hosts with skewed clocks. 20.1 Configuration file ======================= 'syslogd' reads its configuration file when it starts up and whenever it receives a hangup signal. The 'syslog.conf' file is the main configuration file for the 'syslogd' program. In addition, the server looks below the directory 'syslog.d/' for further configuration files, making it easy to arrange a common set of logging conventions in 'syslog.conf', augmented by system and service specific drop-in configuration in 'syslog.d/'. Each configuration file consists of lines with two fields: a "selector" field which specifies the types of messages and priorities to which the line applies, and an "action" field which specifies the action to be taken if a message 'syslogd' receives matches the selection criteria. The selector field is separated from the action field by one or more tab or space characters. A rule can be split in several lines if all lines except the last are terminated with a backslash '\'. There are two exceptional forms of line content. The first is the "tagged selector", and the second is a comment. The latter begins with an octothorp ('#'), also called hash, and continues until end-of-line. A tagged selector commences with an exclamation mark, as in '!name', or with a shebang, like '#! name', and continues with a program name, a "tag" in the sense used by 'logger'. It has the effect of applying the following configuration rules only to messages submitted with the specified tag. This selection remains in effect until another tag is selected, or until it is reset by means of stating the program name as an asterisque '*'. The selector fields are encoded as a facility, followed by a period ('.'), and a level, with no intervening white-space. The facility as well as the level are case insensitive. The facility describes the part of the system generating the message, and is one of the following keywords: 'auth', 'authpriv', 'cron', 'daemon', 'kern', 'lpr', 'mail', 'mark', 'news', 'syslog', 'user', 'uucp' and 'local0' through 'local7'. These keywords (with the exception of 'mark') correspond to the similar 'LOG_' values specified to the 'openlog' and 'syslog' library routines. *Note Syslog: (libc)Syslog, for details. The level describes the severity of the message, and is a keyword from the following ordered list (higher to lower): 'emerg', 'alert', 'crit', 'err, warning', 'notice' and 'debug'. These keywords correspond to the similar 'LOG_' values specified to the syslog library routine. *Note syslog and vsyslog: (libc)syslog; vsyslog, for a further descriptions of both the facility and level keywords and their significance. If a received message matches the specified facility and is of the specified level (or a higher level), the action specified in the action field will be taken. Multiple selectors may be specified for a single action by separating them with semicolon (';') characters. It is important to note, however, that each selector can modify the ones preceding it. Multiple facilities may be specified for a single level by separating them with comma (',') characters. An asterisk ('*') can be used to specify all facilities or all levels. Two asterisks ('**') specifie all facilities not named previously in the configuration file. By default, a level applies to all messages with the same or higher level. The equal ('=') character can be prepended to a level to restrict this line of the configuration file to messages with the very same level. An exclamation mark ('!') prepended to a level or the asterisk means that this line of the configuration file does not apply to the specified level (and higher ones). In conjunction with the equal sign, you can exclude single levels as well. The special facility 'mark' receives a message at priority 'info' every 20 minutes. This is not enabled by a facility field containing an asterisk. The special level 'none' disables a particular facility. The action field of each line specifies the action to be taken when the selector field selects a message. There are five forms: * A pathname (beginning with a leading slash). Selected messages are appended to the file. You may prepend a minus ('-') to the path to omit syncing the file after each message log. This can cause data loss at system crashes, but increases performance for programs which use logging extensively. * A named pipe, beginning with a vertical bar ('|') followed by a pathname. The pipe must be created with 'mkfifo' before 'syslogd' reads its configuration file. This feature is especially useful for debugging. * A hostname (preceded by an at ('@') sign). Selected messages are forwarded to 'syslogd' on the named host. * A comma separated list of users. Selected messages are written to those users if they are logged in. * An asterisk. Selected messages are written to all logged-in users. Blank lines and lines whose first non-blank character is a hash ('#') character are ignored. A configuration file might appear as follows: # Log all kernel messages, authentication messages of # level notice or higher and anything of level err or # higher to the console. # Don't log private authentication messages! *.err;kern.*;auth.notice;authpriv.none /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Everybody gets emergency messages, plus log them on another # machine. *.emerg * *.emerg @arpa.berkeley.edu # Root and Eric get alert and higher messages. *.alert root,eric # Simplify security auditing, by collecting sudo uses. ! sudo *.info /var/log/sudo # Collect time server reports. #! ntpd *.* /var/log/ntpd # Stop selecting on message tags. !* # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spoolerr The effects of multiple selectors are sometimes not intuitive. For example 'mail.crit,*.err' will select the 'mail' facility messages at the level of 'err' or higher, not at the level of 'crit' or higher.