syslogd(1M) syslogd(1M) NAME syslogd - log systems messages SYNOPSIS /usr/etc/syslogd [ -fconfigfile ] [ -mmarkinterval ] [ -plogpipe ] [ -d ] [ -a mask,match | -a match ] [-A] [ -P port_number | -N ] DESCRIPTION syslogd reads and logs messages into a set of files described by the configuration file /etc/syslog.conf. Each message is one line. A message can contain a priority code, marked by a number in angle braces at the beginning of the line. Priorities are defined in <sys/syslog.h>. syslogd reads from the stream device /dev/log, from an Internet domain socket specified in /etc/services, and from the special device /dev/klog (to read kernel messages). syslogd reads its configuration when it starts up and whenever it receives a hangup signal. Lines in the configuration file have a selector to determine the message priorities to which the line applies and an action. The action fields are separated from the selector by one or more tabs. A maximum of 50 lines can be specified. It is recommended that no more than 49 be used, or the LOG_LFMT facility may not work correctly; this facility is used by login(1), among other programs. Selectors are semicolon separated lists of priority specifiers. Each priority has a facility describing the part of the system that generated the message, a dot, and a level indicating the severity of the message. Symbolic names can be used. An asterisk (*) selects all facilities, while debug selects all levels. All messages of the specified level or higher (greater severity) are selected. More than one facility can be selected, using commas to separate them. For example: *.emerg;mail,daemon.crit selects all facilities at the emerg level and the mail and daemon facilities at the crit level. Known facilities and levels recognized by syslogd are those listed in syslog(3C) without the leading LOG_. The additional facility mark logs messages at priority LOG_INFO every 20 minutes (this interval can be changed with the -m flag). The mark facility is not enabled by a facility field containing an asterisk. The level none can be used to disable a particular facility. For example: *.debug;mail.none sends all messages except mail messages to the selected file. The second part of each line describes where the message is to be logged if this line is selected. There are five forms: + A filename (beginning with a leading slash). The file is opened in append mode. + A hostname preceded by an at sign (@). Selected messages are forwarded to the syslogd on the named host. + A comma-separated list of users. Selected messages are written to those users if they are logged in. + An asterisk. Selected messages are written to all logged-in users. + A |, followed immediately by a program name, which is taken to be all chars after the | up to the next tab; at least one action must follow the tab. The filter is expected to read stdin and write the filtered response to stdout. The filter receives the source and message through stdin. A filter can also access the priority, facility, and hostname via environmental variables: PRIORITY, FACILITY, and FROM. The values are stored as strings defined in <sys/syslog.h>. If the filter exits with a non-zero value, the original message is logged, as well as a message that the filter failed. The filter has a limited time (currently eight seconds) to process the message. If the filter exits with status 0 without writing any data, no message is logged. The data to be read by the filter is not terminated with a newline, nor should the data written have a newline appended. See below for a sample filter. Blank lines and lines beginning with # are ignored. For example, the configuration file: kern.debug |/usr/sbin/klogpp /var/adm/SYSLOG kern.debug |/usr/sbin/klogpp /dev/console user,mail,daemon,auth,syslog,lpr.debug /var/adm/SYSLOG kern.err @ginger *.emerg * *.alert eric,beth *.alert;auth.warning ralph filters all kernel messages through klogpp(1M) and writes them to the system console and into /var/adm/SYSLOG and logs debug (or higher) level messages into the file /var/adm/SYSLOG. Kernel messages of error severity or higher are forwarded to ginger. All users are informed of any emergency messages. The users eric and beth are informed of any alert messages. The user ralph is informed of any alert message or any warning message (or higher) from the authorization system. syslogd is started at system initialization from /etc/init.d/sysetup. Optional site-specific flags belong in /etc/config/syslogd.options. The flags are: -fconfigfile Specify an alternate configuration file. -mmarkinterval Select the number of minutes between mark messages. -d Turn on debugging. syslogd runs in the foreground and writes debugging information to stdout. -plogpipe Use the given name for the device instead of /dev/log. Unless specified otherwise by the -P option, syslogd use UDP port defined by 'syslog' entry in /etc/services ( or NIS ) to send ( when @host is used in the configuration file ) and receive syslog data from other hosts. There are no restriction for the list of forwarding hosts. However, to restrict the list of hosts ( or networks ) allowed to send message to syslog, use only one of the following methods: + -N, disabling receiving anything + a combination of -a or -A specifications. -a mask,match -a match This option defines which hosts ( or subsets ) are allowed to send messages to syslog. The mask, and match arguments are IP addresses in Internet dot notation (see inet(3N)) that represent masks, hosts or networks. The mask and match arguments must be separated by a comma with no intervening whitespace. If mask and the comma are missing, the argument is interpreted as a Class A, B, or C network number and the mask is set to the value appropriate for the network's class. The -a option can be repeated up to 50 times. For each mask and match specified, the requesting client host's address is logically-ANDed with mask; if the result equals match, the client's request is processed. If none of the mask-match comparisons succeed, the request is rejected. Requests from all of the local host's addresses are always permitted. For example, if /etc/config/syslogd.options contains -a 255.255.255.0,128.32.199.0 -a 192.0.2.0 -a 255.255.255.255,192.26.51.3 access is restricted to any host on the Class B 128.32.199 subnet or the Class C 192.0.2 network or to the host with the 192.26.51.3 address. Requests from clients on any other networks are rejected. -A This option is equivalent to a series of -a options listing all of the addresses of interfaces on the machine, with their netmasks. It is convenient for authorizing hosts on directly connected networks and point-to-point links without explicitly enumerating the networks. The restrictions defined by -A do not count against the limit of 50 -a options. -N This option disable receiving network data on UDP port defined by 'syslog' in /etc/services ( or NIS ) or by the -P option below. However, sending data ( forwarding ) is still available and will *emit* from any UDP port. NOTE: When -N is not active, syslog use the 'syslog' port /etc/services ( or NIS ) or by the -P option below. This port is used in both directions, for receiving and sending data. This is in compliance of RFC3164. -P port number This option allows listening on UDP port different than the default ( 514 ). syslogd rereads its configuration file when it receives a hangup signal, SIGHUP. To bring syslogd down, send it a terminate signal (for example, killall -TERM syslogd). SECURITY CONSIDERATIONS syslogd creates log files in mode 644 which allows general read access. If the log file already exists, its permissions are unchanged. The system administrator may wish to create separate log files with more restricted permissions for sensitive information such as LOG_AUTH messages. Scripts or cron(1M) jobs that roll (that is save and restart with a new file) these sensitive log files should ensure that the new log file has the desired permissions. FILTER EXAMPLE This example shows how to use the filter mechanism. To have ftpd(1M) messages logged in a different file, add the following line to /etc/syslog.conf: daemon,auth.debug |/var/adm/ftpd.filt /var/adm/ftpd.log The /var/adm/ftpd.filt file is a shell script: #!/bin/sh # This filter only accepts ftpd messages read line set $line case "$1" { ftpd\[*) echo "$line\c" exit 0 ;; } exit 0 MESSAGE EXAMPLE The following is an example line from the /var/adm/SYSLOG file: Aug 10 10:32:53 6F:sgihost syslogd: restart Each line has several parts. The date and time of the message are listed first, followed by a priority and facility code. Priorities are listed as 0-7 and facilities are listed as A-T. Reference <sys/syslog.h>. The source is the name of the program that generated the message. Following the source is the message itself. NOTES IP filtering options flags ( -N, -P, -A and -a ) were introduced in IRIX 6.5.15 and are not available in earlier releases. FILES /etc/syslog.conf default configuration file /dev/log device read by syslogd /dev/klog the kernel log device /usr/sbin/klogpp filter for kernel messages /etc/config/syslogd.options command-line flags used at system startup SEE ALSO logger(1), sysmon(1M), syslog(3C). Page 5