NAME

syslog.conf — syslogd(8) configuration file

DESCRIPTION

The syslog.conf file is the configuration file for the syslogd(8) program. It consists of blocks of lines separated by program specifications, with each line containing two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies the action to be taken if a message syslogd(8) receives matches the selection criteria. The selector field is separated from the action field by one or more tab or space characters.

The selectors are encoded as a facility, a period (‘.’), and a level, with no intervening whitespace. Both the facility and the level are case insensitive.

The facility describes the part of the system generating the message, and is one of the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, syslog, user, uucp and local0 through local7. These keywords (with the exception of mark) correspond to the similar “LOG_” values specified to the openlog(3) and syslog(3) library routines.

The level describes the severity of the message, and is a keyword from the following ordered list (highest to lowest): emerg, alert, crit, err, warning, notice, info and debug. These keywords correspond to the similar (LOG_) values specified to the syslog(3) library routine.

Each block of lines is separated from the previous block by a tag. The tag is a line beginning with !prog and each block will be associated with calls to syslog from that specific program (matched using glob(7) rules). When a message matches multiple blocks, the action of each matching block is taken. If no tag is specified at the beginning of the file, every line is checked for a match and acted upon (at least until a tag is found).

!!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. cancelling the effect of a !prog or !!prog).

Blocks starting with +host or ++host or +* work the same way as their prog counterparts, but they match on the hostname instead of the program name.

See syslog(3) for further descriptions of both the facility and level keywords and their significance. It's recommended that selections be made on facility rather than program, since the latter can easily vary in a networked environment. In some cases, though, an appropriate facility simply doesn't exist.

If a received message matches the specified facility and is of the specified level (or a higher level), and the first word in the message after the date matches the program, the action specified in the action field will be taken. In this context, ascii(7) letters, digits, hyphens (‘-’), periods (‘.’), and underscores (‘_’) can be contained in a word; other bytes end the word.

Multiple selectors may be specified for a single action by separating them with semicolon (‘;’) characters. It is important to note, however, that each selector can modify the ones preceding it.

Multiple facilities may be specified for a single level by separating them with comma (‘,’) characters.

An asterisk (‘*’) can be used to specify all facilities, all levels or all programs.

The special facility “mark” receives a message at priority “info” every 20 minutes (see syslogd(8)). This is not enabled by a facility field containing an asterisk.

The special level “none” disables a particular facility.

The action field of each line specifies the action to be taken when the selector field selects a message. There are six forms:

• A pathname (beginning with a leading slash). Selected messages are appended to the file.
• A pipe to another program (beginning with a leading pipe symbol). The given program is started and presented the selected messages on its standard input. If the program exits, syslogd(8) tries to restart it.
• A hostname (preceded by an at (‘@’) sign). Selected messages are forwarded to the syslogd(8) program on the named host. A port number may be specified using the host:port syntax. This is optional for UDP and TLS. There is no well-known port for syslog over TCP, so in this case it is mandatory to specify the port. IPv6 addresses can be used by surrounding the address portion with square brackets (‘[’ and ‘]’). A prefix udp4:// or udp6:// in front of the hostname and after the at sign will force IPv4 or IPv6 addresses for UDP transport. The prefixes tcp[46]:// or tls[46]:// send messages over TCP or TLS, respectively, with an optional IP version 4 or 6.
• A comma separated list of users. Selected messages are written to those users if they are logged in.
• An asterisk. Selected messages are written to all logged-in users.
• A colon, followed by a memory buffer size (in kilobytes), followed by another colon, followed by a buffer name. Selected messages are written to an in-memory buffer that may be read using syslogc(8). Memory buffered logging is useful to provide access to log data on devices that lack local storage (e.g. diskless workstations or routers). The largest allowed buffer size is 256kb.

Blank lines and lines whose first non-blank character is a hash (‘#’) character are ignored.

FILES

/etc/syslog.conf

The syslogd(8) configuration file.

EXAMPLES

A configuration file might appear as follows:

# Log info (and higher) messages from spamd only to
# a dedicated file, discarding debug messages.
# Matching messages abort evaluation of further rules.
!!spamd
daemon.info						/var/log/spamd
daemon.debug						/dev/null
!*

# Log all kernel messages, authentication messages of
# level notice or higher and anything of level err or
# higher to the console.
# Don't log private authentication messages!
*.err;kern.*;auth.notice;authpriv.none			/dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none				/var/log/messages

# The authpriv file has restricted access.
authpriv.*						/var/log/secure

# Log all the mail messages in one place.
mail.*							/var/log/maillog

# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg							*
*.emerg							@arpa.berkeley.edu

# Root and Eric get alert and higher messages.
*.alert							root,eric

# Log everything coming from host bastion to a separate file.
++bastion
*.*							/var/log/bastion
+*

# Save mail and news errors of level err and higher in a
# special file.
mail,news.err						/var/log/spoolerr

# Save ftpd transactions along with mail and news.
!ftpd
*.*							/var/log/spoolerr

# Keep a copy of all logging in a 32k memory buffer named "debug".
*.debug							:32:debug

# Store notices and authpriv messages in a 64k buffer named "important".
*.notice,authpriv.*					:64:important

# Feed everything to logsurfer.
*.*						|/usr/local/sbin/logsurfer

SEE ALSO

syslog(3), syslogc(8), syslogd(8)

HISTORY

The syslog.conf file appeared in 4.3BSD, along with syslogd(8).

Historic versions of syslogd(8) did not support space-delimited fields.

BUGS

The effects of multiple selectors are sometimes not intuitive. For example “mail.crit;*.err” will select “mail” facility messages at the level of “err” or higher, not at the level of “crit” or higher.