syslog.conf —
syslogd(8) configuration file
The
syslog.conf file is the configuration
file for the
syslogd(8)
program. It consists of blocks of lines separated by
program specifications, with each line containing
two fields: the
selector field which specifies
the types of messages and priorities to which the line applies, and an
action field which specifies the action to be
taken if a message
syslogd(8)
receives matches the selection criteria. The
selector field is separated from the
action field by one or more tab or space
characters.
The
selectors are encoded as a
facility, a period
(‘
.’), and a
level, with no intervening whitespace. Both the
facility and the
level are case insensitive.
The
facility describes the part of the system
generating the message, and is one of the following keywords: auth, authpriv,
cron, daemon, ftp, kern, lpr, mail, mark, news, syslog, user, uucp and local0
through local7. These keywords (with the exception of mark) correspond to the
similar “
LOG_” values
specified to the
openlog(3) and
syslog(3) library routines.
The
level describes the severity of the message,
and is a keyword from the following ordered list (highest to lowest): emerg,
alert, crit, err, warning, notice, info and debug. These keywords correspond
to the similar (
LOG_) values specified to
the
syslog(3) library routine.
Each block of lines is separated from the previous block by a tag. The tag is a
line beginning with
!prog and each block will be
associated with calls to syslog from that specific program. When a message
matches multiple blocks, the action of each matching block is taken. If no tag
is specified at the beginning of the file, every line is checked for a match
and acted upon (at least until a tag is found).
!!prog causes the subsequent block to abort
evaluation when a message matches, ensuring that only a single set of actions
is taken.
!* can be used to ensure that any
ensuing blocks are further evaluated (i.e. cancelling the effect of a
!prog or
!!prog).
Blocks starting with
+host or
++host or
+* work
the same way as their
prog counterparts, but they
match on the hostname instead of the program name.
See
syslog(3) for further
descriptions of both the
facility and
level keywords and their significance. It's
recommended that selections be made on
facility
rather than
program, since the latter can easily
vary in a networked environment. In some cases, though, an appropriate
facility simply doesn't exist.
If a received message matches the specified
facility and is of the specified
level (
or a higher
level), and the first word in the message after the date matches the
program, the action specified in the
action field will be taken.
Multiple
selectors may be specified for a single
action by separating them with semicolon
(‘
;’) characters. It is important to
note, however, that each
selector can modify the
ones preceding it.
Multiple
facilities may be specified for a single
level by separating them with comma
(‘
,’) characters.
An asterisk (‘
*’) can be used to specify
all
facilities, all
levels or all
programs.
The special
facility “mark” receives
a message at priority “info” every 20 minutes (see
syslogd(8)). This is not
enabled by a
facility field containing an
asterisk.
The special
level “none” disables a
particular
facility.
The
action field of each line specifies the action
to be taken when the
selector field selects a
message. There are six forms:
- A pathname (beginning with a leading slash). Selected messages are
appended to the file.
- A pipe to another program (beginning with a leading pipe symbol). The
given program is started and presented the selected messages on its
standard input. If the program exits,
syslogd(8) tries to restart
it.
- A hostname (preceded by an at (‘
@’)
sign). Selected messages are forwarded to the
syslogd(8) program on the
named host. A port number may be specified using the
host:port syntax. This is optional for
UDP and TLS. There is no well-known port for syslog over TCP, so in this
case it is mandatory to specify the port. IPv6 addresses can be used by
surrounding the address portion with square brackets
(‘[’ and
‘]’). A prefix udp4:// or udp6:// in
front of the hostname and after the at sign will force IPv4 or IPv6
addresses for UDP transport. The prefixes tcp[46]:// or tls[46]:// send
messages over TCP or TLS, respectively, with an optional IP version 4 or
6.
- A comma separated list of users. Selected messages are written to those
users if they are logged in.
- An asterisk. Selected messages are written to all logged-in users.
- A colon, followed by a memory buffer size (in kilobytes), followed by
another colon, followed by a buffer name. Selected messages are written to
an in-memory buffer that may be read using
syslogc(8). Memory buffered
logging is useful to provide access to log data on devices that lack local
storage (e.g. diskless workstations or routers). The largest allowed
buffer size is 256kb.
Blank lines and lines whose first non-blank character is a hash
(‘
#’) character are ignored.
- /etc/syslog.conf
- The syslogd(8)
configuration file.
A configuration file might appear as follows:
# Log info (and higher) messages from spamd only to
# a dedicated file, discarding debug messages.
# Matching messages abort evaluation of further rules.
!!spamd
daemon.info /var/log/spamd
daemon.debug /dev/null
!*
# Log all kernel messages, authentication messages of
# level notice or higher and anything of level err or
# higher to the console.
# Don't log private authentication messages!
*.err;kern.*;auth.notice;authpriv.none /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
*.emerg @arpa.berkeley.edu
# Root and Eric get alert and higher messages.
*.alert root,eric
# Log everything coming from host bastion to a separate file.
++bastion
*.* /var/log/bastion
+*
# Save mail and news errors of level err and higher in a
# special file.
mail,news.err /var/log/spoolerr
# Save ftpd transactions along with mail and news.
!ftpd
*.* /var/log/spoolerr
# Keep a copy of all logging in a 32k memory buffer named "debug".
*.debug :32:debug
# Store notices and authpriv messages in a 64k buffer named "important".
*.notice,authpriv.* :64:important
# Feed everything to logsurfer.
*.* |/usr/local/sbin/logsurfer
syslog(3),
syslogc(8),
syslogd(8)
The
syslog.conf file appeared in
4.3BSD, along with
syslogd(8).
Historic versions of
syslogd(8)
did not support space-delimited fields.
The effects of multiple selectors are sometimes not intuitive. For example
“mail.crit;*.err” will select “mail” facility
messages at the level of “err” or higher, not at the level of
“crit” or higher.
![[OpenBSD]](/openbsd.gif){kind=small}