writes system messages to log files or a
user's terminal. Output can be sent to other programs for further processing.
It can also securely send and receive log messages to and from remote hosts.
The options are as follows:
- Forces syslogd to use only
IPv4 addresses for UDP.
- Forces syslogd to use only
IPv6 addresses for UDP.
- Specify a location where
syslogd should place an additional log
socket. The primary use for this is to place additional log sockets in
/dev/log of various chroot filespaces, though
the need for these is less urgent after the introduction of
- PEM encoded file containing CA certificates used for
certificate validation of a remote loghost; the default is
- PEM encoded file containing the client certificate for TLS
connections to a remote host. The default is not to use a client
certificate for the connection to a syslog server. This option has to be
used together with -k
- Enable debugging to the standard output, and do not
disassociate from the controlling terminal.
- Run in the foreground instead of disassociating from the
controlling terminal and running as a background daemon.
- Specify the pathname of an alternate configuration file;
the default is /etc/syslog.conf.
- Include the hostname when forwarding messages to a remote
- PEM encoded file containing CA certificates used for client
certificate validation on the local server socket. By default incoming
connections from any TLS server are allowed.
- PEM encoded file containing the client private key for TLS
connections to a remote host. This option has to be used together with
- Select the number of minutes between “mark”
messages; the default is 20 minutes.
- Print source addresses numerically rather than
symbolically. This saves an address-to-name lookup for each incoming
message, which can be useful when combined with the
-u option on a loghost with no DNS cache.
Messages from the local host will still be logged with the symbolic local
- Specify the pathname of an alternate log socket to be used
instead; the default is /dev/log.
- Create a TLS listen socket for receiving encrypted messages
and bind it to the specified address. A port number may be specified using
syntax. The parameter is also used to find a suitable server key and
certificate in /etc/ssl/.
- Specify path to an
AF_LOCAL socket for use in reporting
logs stored in memory buffers using
- Create a TCP listen socket for receiving messages and bind
it to the specified address. There is no well-known port for syslog over
TCP, so a port number must be specified using the
- Create a UDP socket for receiving messages and bind it to
the specified address. This can be used, for example, with a pf divert-to
rule to receive packets when syslogd is bound to localhost. A port number
may be specified using the
- Select the historical “insecure” mode, in
which syslogd will accept input from the UDP port. Some software wants
this, but you can be subjected to a variety of attacks over the network,
including attackers remotely filling logs.
- Do not perform remote server certificate and hostname
validation when sending messages.
- Generate timestamps in ISO format. This includes the year
and the timezone, and all logging is done in UTC.
The options -a
can be given more than once to specify
multiple input sources.
reads its configuration file,
when it starts up and whenever it receives a hangup signal. It creates the
and stores its process
ID there. The PID can be used to kill or reconfigure
opens a UDP socket, as specified in
, for sending forwarded messages. By
default all incoming data on this socket is discarded. If insecure mode is
switched on with -u
, it will also read messages
from the socket. syslogd
also opens and reads
messages from the UNIX
, and from the special device
(to read kernel messages), and from
(to read messages from userland processes).
The message sent to syslogd
should consist of a
single line. The message can contain a priority code, which should be a
preceding decimal number in angle braces, for example,
“<5>”. This priority code should map into the priorities
defined in the include file
When sending syslog messages to a remote loghost via TLS, the server's
certificate and hostname are validated to prevent malicious servers from
reading messages. If the server has a certificate with a matching hostname
signed by a CA in /etc/ssl/cert.pem
, it is
verified with that by default. If the server has a certificate with a matching
hostname signed by a private CA, use the -C
option and put that CA into CAfile
Validation can be explicitly turned off using the
option. If the server is accepting messages
only from clients with a trusted client certificate, use the
with this certificate.
When receiving syslog messages from a TLS client, there must be a server key and
If the client uses certificates to authenticate, the CA of the client's
certificate may be added to CAfile
option to protect from messages being spoofed
by malicious clients.
- Name of the UNIX-domain datagram
- Kernel log device.
- Private keys and public certificates.
- Configuration file.
- Process ID of current
command appeared in
does not create files, it only logs to