NAME
syslogd
—
log system messages
SYNOPSIS
syslogd |
[-46dFhnruVZ ]
[-a path]
[-C CAfile]
[-c cert_file]
[-f config_file]
[-K CAfile]
[-k key_file]
[-m mark_interval]
[-p log_socket]
[-S listen_address]
[-s reporting_socket]
[-T listen_address]
[-U bind_address] |
DESCRIPTION
syslogd
writes system messages to log
files or a user's terminal. Output can be sent to other programs for further
processing. It can also securely send and receive log messages to and from
remote hosts.
The options are as follows:
-4
- Forces
syslogd
to use only IPv4 addresses for UDP. -6
- Forces
syslogd
to use only IPv6 addresses for UDP. -a
path- Specify a location where
syslogd
should place an additional log socket. The primary use for this is to place additional log sockets in /dev/log of various chroot filespaces, though the need for these is less urgent after the introduction of sendsyslog(2). -C
CAfile- PEM encoded file containing CA certificates used for certificate validation of a remote loghost; the default is /etc/ssl/cert.pem.
-c
cert_file- PEM encoded file containing the client certificate for TLS connections to
a remote loghost. The default is not to use a client certificate for the
outgoing connection to a syslog server. This option has to be used
together with
-k
key_file. -d
- Enable debugging to the standard output, and do not disassociate from the controlling terminal.
-F
- Run in the foreground instead of disassociating from the controlling terminal and running as a background daemon.
-f
config_file- Specify the pathname of an alternate configuration file; the default is /etc/syslog.conf.
-h
- Include the hostname when sending messages to a remote loghost.
-K
CAfile- PEM encoded file containing CA certificates used for client certificate validation on the local listen socket. By default incoming connections from any TLS client are allowed.
-k
key_file- PEM encoded file containing the client private key for TLS connections to
a remote loghost. This option has to be used together with
-c
cert_file. -m
mark_interval- Select the number of minutes between “mark” messages; the default is 20 minutes.
-n
- Print source addresses numerically rather than symbolically. This saves an
address-to-name lookup for each incoming message, which can be useful when
combined with the
-u
option on a loghost with no DNS cache. Messages from the local host will still be logged with the symbolic local host name. -p
log_socket- Specify the pathname of an alternate log socket to be used instead; the default is /dev/log.
-r
- Print duplicate lines immediately and suppress the "last message repeated" summary when piping to another program or forwarding to a remote loghost. If given twice, this is done for all log actions.
-S
listen_address- Create a TLS listen socket for receiving encrypted messages and bind it to the specified address. A port number may be specified using the host:port syntax. The first listen_address is also used to find a suitable server key and certificate in /etc/ssl/.
-s
reporting_socket- Specify path to a UNIX-domain socket for use in reporting logs stored in memory buffers using syslogc(8).
-T
listen_address- Create a TCP listen socket for receiving messages and bind it to the specified address. There is no well-known port for syslog over TCP, so a port number must be specified using the host:port syntax.
-U
bind_address- Create a UDP socket for receiving messages and bind it to the specified
address. This can be used, for example, with a pf divert-to rule to
receive packets when
syslogd
is bound to localhost. A port number may be specified using the host:port syntax. -u
- Select the historical “insecure” mode, in which
syslogd
will accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. -V
- Do not perform remote server certificate and hostname validation when sending messages.
-Z
- Generate timestamps in ISO format. This includes the year and the timezone, and all logging is done in UTC.
The options -a
,
-S
, -T
, and
-U
can be given more than once to specify multiple
input sources.
When starting up, syslogd
reads its
configuration file,
syslog.conf(5), and opens the configured logfiles and TCP and
TLS connections. The logfiles already have to exist with the correct
permissions. When receiving a SIGHUP
signal, it
closes all open logfiles and outgoing TCP and TLS connections and re-runs
this initialization sequence. Sending this signal is required both after
editing the configuration file and after log rotation.
syslogd
opens a UDP socket, as specified
in /etc/services, for sending forwarded messages. By
default all incoming data on this socket is discarded. If insecure mode is
switched on with -u
, it will also read messages from
the socket. syslogd
also opens and reads messages
from the UNIX-domain socket
/dev/log, and from the special device
/dev/klog (to read kernel messages), and from
sendsyslog(2) (to read messages from userland processes).
The message sent to syslogd
should consist
of a single line. Embedded new line characters are converted to spaces;
binary data is encoded by
vis(3), but no backslash is inserted. The message can contain a
priority code, which should be a preceding decimal number in angle braces,
for example, “<5>”. This priority code should map into
the priorities defined in the include file
<sys/syslog.h>
.
When sending syslog messages to a remote loghost via TLS, the
server's certificate and hostname are validated to prevent malicious servers
from reading messages. If the server has a certificate with a matching
hostname signed by a CA in /etc/ssl/cert.pem, it is
verified with that by default. If the server has a certificate with a
matching hostname signed by a private CA, use the -C
option and put that CA into CAfile. Validation can be
explicitly turned off using the -V
option. If the
server is accepting messages only from clients with a trusted client
certificate, use the -k
and
-c
options to authenticate
syslogd
with this certificate.
When receiving syslog messages from a TLS client, there must be a
server key and certificate in
/etc/ssl/private/host[:port].key
and
/etc/ssl/host[:port].crt.
If the client uses certificates to authenticate, the CA of the client's
certificate may be added to CAfile using the
-K
option to protect from messages being spoofed by
malicious senders.
FILES
- /dev/log
- Name of the UNIX-domain datagram log socket.
- /dev/klog
- Kernel log device.
- /etc/ssl/
- Private keys and public certificates.
- /etc/syslog.conf
- Configuration file.
- /var/run/syslog.pid
- Process ID of current
syslogd
.
SEE ALSO
logger(1), syslog(3), services(5), syslog.conf(5), newsyslog(8), syslogc(8)
HISTORY
The syslogd
command appeared in
4.3BSD.
CAVEATS
syslogd
does not create files, it only
logs to existing ones.