NAME
syslogd
—
log system messages
SYNOPSIS
syslogd |
[-46dFhnruVZ ]
[-a path]
[-C CAfile]
[-c cert_file]
[-f config_file]
[-K CAfile]
[-k key_file]
[-m mark_interval]
[-p log_socket]
[-S listen_address]
[-s reporting_socket]
[-T listen_address]
[-U bind_address] |
DESCRIPTION
syslogd
writes system messages to log
files or a user's terminal. Output can be sent to other programs for further
processing. It can also securely send and receive log messages to and from
remote hosts.
The options are as follows:
-4
- Forces
syslogd
to use only IPv4 addresses for UDP. -6
- Forces
syslogd
to use only IPv6 addresses for UDP. -a
path- Specify a location where
syslogd
should place an additional log socket. The primary use for this is to place additional log sockets in /dev/log of various chroot filespaces, though the need for these is less urgent after the introduction of sendsyslog(2). -C
CAfile- PEM encoded file containing CA certificates used for certificate validation of a remote loghost; the default is /etc/ssl/cert.pem.
-c
cert_file- PEM encoded file containing the client certificate for TLS connections to
a remote loghost. The default is not to use a client certificate for the
outgoing connection to a syslog server. This option has to be used
together with
-k
key_file. -d
- Enable debugging to the standard output, and do not disassociate from the controlling terminal.
-F
- Run in the foreground instead of disassociating from the controlling terminal and running as a background daemon.
-f
config_file- Specify the pathname of an alternate configuration file; the default is /etc/syslog.conf.
-h
- Include the hostname when sending messages to a remote loghost.
-K
CAfile- PEM encoded file containing CA certificates used for client certificate validation on the local listen socket. By default incoming connections from any TLS client are allowed.
-k
key_file- PEM encoded file containing the client private key for TLS connections to
a remote loghost. This option has to be used together with
-c
cert_file. -m
mark_interval- Select the number of minutes between “mark” messages; the default is 20 minutes.
-n
- Print source addresses numerically rather than symbolically. This saves an
address-to-name lookup for each incoming message, which can be useful when
combined with the
-u
option on a loghost with no DNS cache. Messages from the local host will still be logged with the symbolic local host name. -p
log_socket- Specify the pathname of an alternate log socket to be used instead; the default is /dev/log.
-r
- Print duplicate lines immediately and suppress the "last message repeated" summary when piping to another program or forwarding to a remote loghost. If given twice, this is done for all log actions.
-S
listen_address- Create a TLS listen socket for receiving encrypted messages and bind it to the specified address. A port number may be specified using the host:port syntax. The first listen_address is also used to find a suitable server key and certificate in /etc/ssl/.
-s
reporting_socket- Specify path to an
AF_LOCAL
socket for use in reporting logs stored in memory buffers using syslogc(8). -T
listen_address- Create a TCP listen socket for receiving messages and bind it to the specified address. There is no well-known port for syslog over TCP, so a port number must be specified using the host:port syntax.
-U
bind_address- Create a UDP socket for receiving messages and bind it to the specified address. This can be used, for example, with a pf divert-to rule to receive packets when syslogd is bound to localhost. A port number may be specified using the host:port syntax.
-u
- Select the historical “insecure” mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs.
-V
- Do not perform remote server certificate and hostname validation when sending messages.
-Z
- Generate timestamps in ISO format. This includes the year and the timezone, and all logging is done in UTC.
The options -a
,
-S
, -T
, and
-U
can be given more than once to specify multiple
input sources.
syslogd
reads its configuration file,
syslog.conf(5), when it starts up and whenever it receives a
hangup signal. It creates the file
/var/run/syslog.pid and stores its process ID there.
The PID can be used to kill or reconfigure
syslogd
.
syslogd
opens a UDP socket, as specified
in /etc/services, for sending forwarded messages. By
default all incoming data on this socket is discarded. If insecure mode is
switched on with -u
, it will also read messages from
the socket. syslogd
also opens and reads messages
from the UNIX-domain socket
/dev/log, and from the special device
/dev/klog (to read kernel messages), and from
sendsyslog(2) (to read messages from userland processes).
The message sent to syslogd
should consist
of a single line. The message can contain a priority code, which should be a
preceding decimal number in angle braces, for example,
“<5>”. This priority code should map into the priorities
defined in the include file
<sys/syslog.h>
.
When sending syslog messages to a remote loghost via TLS, the
server's certificate and hostname are validated to prevent malicious servers
from reading messages. If the server has a certificate with a matching
hostname signed by a CA in /etc/ssl/cert.pem, it is
verified with that by default. If the server has a certificate with a
matching hostname signed by a private CA, use the -C
option and put that CA into CAfile. Validation can be
explicitly turned off using the -V
option. If the
server is accepting messages only from clients with a trusted client
certificate, use the -k
and
-c
options to authenticate
syslogd
with this certificate.
When receiving syslog messages from a TLS client, there must be a
server key and certificate in
/etc/ssl/private/host[:port].key
and
/etc/ssl/host[:port].crt.
If the client uses certificates to authenticate, the CA of the client's
certificate may be added to CAfile using the
-K
option to protect from messages being spoofed by
malicious senders.
FILES
- /dev/log
- Name of the UNIX-domain datagram log socket.
- /dev/klog
- Kernel log device.
- /etc/ssl/
- Private keys and public certificates.
- /etc/syslog.conf
- Configuration file.
- /var/run/syslog.pid
- Process ID of current
syslogd
.
SEE ALSO
logger(1), syslog(3), services(5), syslog.conf(5), newsyslog(8), syslogc(8)
HISTORY
The syslogd
command appeared in
4.3BSD.
CAVEATS
syslogd
does not create files, it only
logs to existing ones.