log system messages
syslogd writes system messages to log
files or a user's terminal. Output can be sent to other programs for further
processing. It can also securely send and receive log messages to and from
The options are as follows:
syslogdto use only IPv4 addresses for UDP.
syslogdto use only IPv6 addresses for UDP.
- Specify a location where
syslogdshould place an additional log socket. The primary use for this is to place additional log sockets in /dev/log of various chroot filespaces, though the need for these is less urgent after the introduction of sendsyslog(2).
- PEM encoded file containing CA certificates used for certificate validation of a remote loghost; the default is /etc/ssl/cert.pem.
- PEM encoded file containing the client certificate for TLS connections to
a remote loghost. The default is not to use a client certificate for the
outgoing connection to a syslog server. This option has to be used
- Enable debugging to the standard output, and do not disassociate from the controlling terminal.
- Run in the foreground instead of disassociating from the controlling terminal and running as a background daemon.
- Specify the pathname of an alternate configuration file; the default is /etc/syslog.conf.
- Include the hostname when sending messages to a remote loghost.
- PEM encoded file containing CA certificates used for client certificate validation on the local listen socket. By default incoming connections from any TLS client are allowed.
- PEM encoded file containing the client private key for TLS connections to
a remote loghost. This option has to be used together with
- Select the number of minutes between “mark” messages; the default is 20 minutes.
- Print source addresses numerically rather than symbolically. This saves an
address-to-name lookup for each incoming message, which can be useful when
combined with the
-uoption on a loghost with no DNS cache. Messages from the local host will still be logged with the symbolic local host name.
- Specify the pathname of an alternate log socket to be used instead; the default is /dev/log.
- Print duplicate lines immediately and suppress the "last message repeated" summary when piping to another program or forwarding to a remote loghost. If given twice, this is done for all log actions.
- Create a TLS listen socket for receiving encrypted messages and bind it to the specified address. A port number may be specified using the host:port syntax. The first listen_address is also used to find a suitable server key and certificate in /etc/ssl/.
- Specify path to an
AF_LOCALsocket for use in reporting logs stored in memory buffers using syslogc(8).
- Create a TCP listen socket for receiving messages and bind it to the specified address. There is no well-known port for syslog over TCP, so a port number must be specified using the host:port syntax.
- Create a UDP socket for receiving messages and bind it to the specified address. This can be used, for example, with a pf divert-to rule to receive packets when syslogd is bound to localhost. A port number may be specified using the host:port syntax.
- Select the historical “insecure” mode, in which syslogd will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs.
- Do not perform remote server certificate and hostname validation when sending messages.
- Generate timestamps in ISO format. This includes the year and the timezone, and all logging is done in UTC.
-U can be given more than once to specify multiple
syslogd reads its configuration file,
syslog.conf(5), when it starts up and whenever it receives a
SIGHUP signal. It creates the file
/var/run/syslog.pid and stores its process ID there.
The PID can be used to kill or reconfigure
syslogd opens a UDP socket, as specified
in /etc/services, for sending forwarded messages. By
default all incoming data on this socket is discarded. If insecure mode is
switched on with
-u, it will also read messages from
syslogd also opens and reads messages
from the UNIX-domain socket
/dev/log, and from the special device
/dev/klog (to read kernel messages), and from
sendsyslog(2) (to read messages from userland processes).
The message sent to
syslogd should consist
of a single line. The message can contain a priority code, which should be a
preceding decimal number in angle braces, for example,
“<5>”. This priority code should map into the priorities
defined in the include file
When sending syslog messages to a remote loghost via TLS, the
server's certificate and hostname are validated to prevent malicious servers
from reading messages. If the server has a certificate with a matching
hostname signed by a CA in /etc/ssl/cert.pem, it is
verified with that by default. If the server has a certificate with a
matching hostname signed by a private CA, use the
option and put that CA into CAfile. Validation can be
explicitly turned off using the
-V option. If the
server is accepting messages only from clients with a trusted client
certificate, use the
-c options to authenticate
syslogd with this certificate.
When receiving syslog messages from a TLS client, there must be a
server key and certificate in
If the client uses certificates to authenticate, the CA of the client's
certificate may be added to CAfile using the
-K option to protect from messages being spoofed by
- Name of the UNIX-domain datagram log socket.
- Kernel log device.
- Private keys and public certificates.
- Configuration file.
- Process ID of current
logger(1), syslog(3), services(5), syslog.conf(5), newsyslog(8), syslogc(8)
syslogd command appeared in
syslogd does not create files, it only
logs to existing ones.