1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 33.\" $FreeBSD$ 34.\" 35.Dd June 9, 1993 36.Dt SYSLOG.CONF 5 37.Os 38.Sh NAME 39.Nm syslog.conf 40.Nd 41.Xr syslogd 8 42configuration file 43.Sh DESCRIPTION 44The 45.Nm 46file is the configuration file for the 47.Xr syslogd 8 48program. 49It consists of 50blocks of lines separated by 51.Em program 52and 53.Em hostname 54specifications, 55with each line containing two fields: the 56.Em selector 57field which specifies the types of messages and priorities to which the 58line applies, and an 59.Em action 60field which specifies the action to be taken if a message 61.Xr syslogd 8 62receives matches the selection criteria. 63The 64.Em selector 65field is separated from the 66.Em action 67field by one or more tab characters or spaces. 68.Pp 69Note that if you use spaces as separators, your 70.Nm 71might be incompatible with other Unices or Unix-like systems. 72This functionality was added for the ease of configuration 73(e.g. it is possible to cut-and-paste into 74.Nm ) , 75and to avoid possible mistakes. 76This change however preserves 77backwards compatibility with the old style of the 78.Nm 79(i.e. tab characters only). 80.Pp 81The 82.Em selectors 83are encoded as a 84.Em facility , 85a period 86.Pq Dq \&. , 87an optional set of comparison flags 88.Pq Bq <=> , 89and a 90.Em level , 91with no intervening white-space. 92Both the 93.Em facility 94and the 95.Em level 96are case insensitive. 97.Pp 98The 99.Em facility 100describes the part of the system generating the message, and is one of 101the following keywords: auth, authpriv, console, cron, daemon, ftp, kern, 102lpr, mail, mark, news, ntp, security, syslog, user, uucp and local0 through 103local7. 104These keywords (with the exception of mark) correspond to the 105similar 106.Dq Dv LOG_ 107values specified to the 108.Xr openlog 3 109and 110.Xr syslog 3 111library routines. 112.Pp 113The 114.Em comparison flags 115may be used to specify exactly what is logged. 116The default set of comparison flags are 117.Dq => 118(or, if you prefer, 119.Dq >= ) , 120which means that messages from the specified 121.Em facility 122list of a priority 123level equal or greater than 124.Em level 125will be logged. 126.Pp 127The 128.Em level 129describes the severity of the message, and is a keyword from the 130following ordered list (higher to lower): emerg, alert, crit, err, 131warning, notice, info and debug. 132These keywords correspond to the 133similar 134.Dq Dv LOG_ 135values specified to the 136.Xr syslog 3 137library routine. 138.Pp 139Each block of lines is separated from the previous block by a 140.Em program 141or 142.Em hostname 143specification. 144A block will only log messages corresponding to the most recent 145.Em program 146and 147.Em hostname 148specifications given. 149Thus, a block which selects 150.Ql ppp 151as the 152.Em program , 153directly followed by a block that selects messages from the 154.Em hostname 155.Ql dialhost , 156then the second block will only log messages 157from the 158.Xr ppp 8 159program on dialhost. 160.Pp 161A 162.Em program 163specification is a line beginning with 164.Ql #!prog 165or 166.Ql !prog 167(the former is for compatibility with the previous syslogd, if one is sharing 168.Nm 169files, for example) 170and the following blocks will be associated with calls to 171.Xr syslog 3 172from that specific program. 173A 174.Em program 175specification for 176.Ql foo 177will also match any message logged by the kernel with the prefix 178.Ql "foo: " . 179A 180.Em hostname 181specification of the form 182.Ql #+hostname 183or 184.Ql +hostname 185and the following blocks will be applied to messages 186received from the specified hostname. 187Alternatively, a 188.Em hostname 189specification 190.Ql #-hostname 191or 192.Ql -hostname 193causes the following blocks to be applied to messages 194from any host but the one specified. 195If the hostname is given as 196.Ql @ , 197the local hostname will be used. 198A 199.Em program 200or 201.Em hostname 202specification may be reset by giving the program or hostname as 203.Ql * . 204.Pp 205See 206.Xr syslog 3 207for a further descriptions of both the 208.Em facility 209and 210.Em level 211keywords and their significance. 212It's preferred that selections be made on 213.Em facility 214rather than 215.Em program , 216since the latter can easily vary in a networked environment. 217In some cases, 218though, an appropriate 219.Em facility 220simply doesn't exist. 221.Pp 222If a received message matches the specified 223.Em facility 224and is of the specified 225.Em level 226.Em (or a higher level) , 227and the first word in the message after the date matches the 228.Em program , 229the action specified in the 230.Em action 231field will be taken. 232.Pp 233Multiple 234.Em selectors 235may be specified for a single 236.Em action 237by separating them with semicolon 238.Pq Dq \&; 239characters. 240It is important to note, however, that each 241.Em selector 242can modify the ones preceding it. 243.Pp 244Multiple 245.Em facilities 246may be specified for a single 247.Em level 248by separating them with comma 249.Pq Dq \&, 250characters. 251.Pp 252An asterisk 253.Pq Dq * 254can be used to specify all 255.Em facilities 256all 257.Em levels 258or all 259.Em programs . 260.Pp 261The special 262.Em facility 263.Dq mark 264receives a message at priority 265.Dq info 266every 20 minutes 267(see 268.Xr syslogd 8 ) . 269This is not enabled by a 270.Em facility 271field containing an asterisk. 272.Pp 273The special 274.Em level 275.Dq none 276disables a particular 277.Em facility . 278.Pp 279The 280.Em action 281field of each line specifies the action to be taken when the 282.Em selector 283field selects a message. 284There are five forms: 285.Bl -bullet 286.It 287A pathname (beginning with a leading slash). 288Selected messages are appended to the file. 289.It 290A hostname (preceded by an at 291.Pq Dq @ 292sign). 293Selected messages are forwarded to the 294.Xr syslogd 8 295program on the named host. 296.It 297A comma separated list of users. 298Selected messages are written to those users 299if they are logged in. 300.It 301An asterisk. 302Selected messages are written to all logged-in users. 303.It 304A vertical bar 305.Pq Dq \&| , 306followed by a command to pipe the selected 307messages to. The command is passed to 308.Xr sh 1 309for evaluation, so usual shell metacharacters or input/output 310redirection can occur. (Note however that redirecting 311.Xr stdio 3 312buffered output from the invoked command can cause additional delays, 313or even lost output data in case a logging subprocess exited with a 314signal.) The command itself runs with 315.Em stdout 316and 317.Em stderr 318redirected to 319.Pa /dev/null . 320Upon receipt of a 321.Dv SIGHUP , 322.Xr syslogd 8 323will close the pipe to the process. If the process didn't exit 324voluntarily, it will be sent a 325.Dv SIGTERM 326signal after a grace period of up to 60 seconds. 327.Pp 328The command will only be started once data arrives that should be piped 329to it. If it exited later, it will be restarted as necessary. So if it 330is desired that the subprocess should get exactly one line of input only 331(which can be very resource-consuming if there are a lot of messages 332flowing quickly), this can be achieved by exiting after just one line of 333input. If necessary, a script wrapper can be written to this effect. 334.Pp 335Unless the command is a full pipeline, it's probably useful to 336start the command with 337.Em exec 338so that the invoking shell process does not wait for the command to 339complete. Warning: the process is started under the UID invoking 340.Xr syslogd 8 , 341normally the superuser. 342.El 343.Pp 344Blank lines and lines whose first non-blank character is a hash 345.Pq Dq # 346character are ignored. 347.Sh EXAMPLES 348A configuration file might appear as follows: 349.Bd -literal 350# Log all kernel messages, authentication messages of 351# level notice or higher and anything of level err or 352# higher to the console. 353# Don't log private authentication messages! 354*.err;kern.*;auth.notice;authpriv.none /dev/console 355 356# Log anything (except mail) of level info or higher. 357# Don't log private authentication messages! 358*.info;mail.none;authpriv.none /var/log/messages 359 360# Log daemon messages at debug level only 361daemon.=debug /var/log/daemon.debug 362 363# The authpriv file has restricted access. 364authpriv.* /var/log/secure 365 366# Log all the mail messages in one place. 367mail.* /var/log/maillog 368 369# Everybody gets emergency messages, plus log them on another 370# machine. 371*.emerg * 372*.emerg @arpa.berkeley.edu 373 374# Root and Eric get alert and higher messages. 375*.alert root,eric 376 377# Save mail and news errors of level err and higher in a 378# special file. 379uucp,news.crit /var/log/spoolerr 380 381# Pipe all authentication messages to a filter. 382auth.* |exec /usr/local/sbin/authfilter 383 384# Save ftpd transactions along with mail and news 385!ftpd 386*.* /var/log/spoolerr 387 388# Log all security messages to a separate file. 389security.* /var/log/security 390 391# Log all writes to /dev/console to a separate file. 392console.* /var/log/console.log 393.Ed 394.Sh IMPLEMENTATION NOTES 395The 396.Dq kern 397facility is usually reserved for messages 398generated by the local kernel. 399Other messages logged with facility 400.Dq kern 401are usually translated to facility 402.Dq user . 403This translation can be disabled, 404see 405.Xr syslogd 8 406for details. 407.Sh FILES 408.Bl -tag -width /etc/syslog.conf -compact 409.It Pa /etc/syslog.conf 410.Xr syslogd 8 411configuration file 412.El 413.Sh BUGS 414The effects of multiple 415.Em selectors 416are sometimes not intuitive. 417For example 418.Dq mail.crit,*.err 419will select 420.Dq mail 421facility messages at the level of 422.Dq err 423or higher, not at the level of 424.Dq crit 425or higher. 426.Pp 427In networked environments, note that not all operating systems 428implement the same set of facilities. The facilities 429authpriv, cron, ftp, and ntp that are known to this implementation 430might be absent on the target system. Even worse, DEC UNIX uses 431facility number 10 (which is authpriv in this implementation) to 432log events for their AdvFS file system. 433.Sh SEE ALSO 434.Xr syslog 3 , 435.Xr syslogd 8 436