1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 33.\" $Id: syslog.conf.5,v 1.7 1997/09/14 06:55:15 joerg Exp $ 34.\" 35.Dd June 9, 1993 36.Dt SYSLOG.CONF 5 37.Os 38.Sh NAME 39.Nm syslog.conf 40.Nd 41.Xr syslogd 8 42configuration file 43.Sh DESCRIPTION 44The 45.Nm 46file is the configuration file for the 47.Xr syslogd 8 48program. 49It consists of 50blocks of lines separated by 51.Em program 52specifications, 53with each line containing two fields: the 54.Em selector 55field which specifies the types of messages and priorities to which the 56line applies, and an 57.Em action 58field which specifies the action to be taken if a message 59.Xr syslogd 60receives matches the selection criteria. 61The 62.Em selector 63field is separated from the 64.Em action 65field by one or more tab characters. 66.Pp 67The 68.Em Selectors 69function 70are encoded as a 71.Em facility , 72a period 73.Pq Dq \&. , 74and a 75.Em level , 76with no intervening white-space. 77Both the 78.Em facility 79and the 80.Em level 81are case insensitive. 82.Pp 83The 84.Em facility 85describes the part of the system generating the message, and is one of 86the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, 87mark, news, ntp, syslog, user, uucp and local0 through local7. 88These keywords (with the exception of mark) correspond to the 89similar 90.Dq Dv LOG_ 91values specified to the 92.Xr openlog 3 93and 94.Xr syslog 3 95library routines. 96.Pp 97The 98.Em level 99describes the severity of the message, and is a keyword from the 100following ordered list (higher to lower): emerg, alert, crit, err, 101warning, notice, info and debug. 102These keywords correspond to the 103similar 104.Dq Dv LOG_ 105values specified to the 106.Xr syslog 107library routine. 108.Pp 109Each block of lines is separated from the previous block by a tag. The tag 110is a line beginning with 111.Em #!prog 112or 113.Em !prog 114(the former is for compatibility with the previous syslogd, if one is sharing 115syslog.conf files, for example) 116and each block will be associated with calls to syslog from that specific 117program. 118.Pp 119See 120.Xr syslog 3 121for a further descriptions of both the 122.Em facility 123and 124.Em level 125keywords and their significance. It's preferred that selections be made on 126.Em facility 127rather than 128.Em program , 129since the latter can easily vary in a networked environment. In some cases, 130though, an appropriate 131.Em facility 132simply doesn't exist. 133.Pp 134If a received message matches the specified 135.Em facility 136and is of the specified 137.Em level 138.Em (or a higher level) , 139and the first word in the message after the date matches the 140.Em program , 141the action specified in the 142.Em action 143field will be taken. 144.Pp 145Multiple 146.Em selectors 147may be specified for a single 148.Em action 149by separating them with semicolon 150.Pq Dq \&; 151characters. 152It is important to note, however, that each 153.Em selector 154can modify the ones preceding it. 155.Pp 156Multiple 157.Em facilities 158may be specified for a single 159.Em level 160by separating them with comma 161.Pq Dq \&, 162characters. 163.Pp 164An asterisk 165.Pq Dq * 166can be used to specify all 167.Em facilities 168all 169.Em levels 170or all 171.Em programs . 172.Pp 173The special 174.Em facility 175.Dq mark 176receives a message at priority 177.Dq info 178every 20 minutes 179(see 180.Xr syslogd 8 ) . 181This is not enabled by a 182.Em facility 183field containing an asterisk. 184.Pp 185The special 186.Em level 187.Dq none 188disables a particular 189.Em facility . 190.Pp 191The 192.Em action 193field of each line specifies the action to be taken when the 194.Em selector 195field selects a message. 196There are five forms: 197.Bl -bullet 198.It 199A pathname (beginning with a leading slash). 200Selected messages are appended to the file. 201.It 202A hostname (preceded by an at 203.Pq Dq @ 204sign). 205Selected messages are forwarded to the 206.Xr syslogd 207program on the named host. 208.It 209A comma separated list of users. 210Selected messages are written to those users 211if they are logged in. 212.It 213An asterisk. 214Selected messages are written to all logged-in users. 215.It 216A vertical bar 217.Pq Dq \&| , 218followed by a command to pipe the selected 219messages to. The command is passed to a 220.Pa /bin/sh 221for evaluation, so usual shell metacharacters or input/output 222redirection can occur. (Note however that redirecting 223.Xr stdio 3 224buffered output from the invoked command can cause additional delays, 225or even lost output data in case a logging subprocess exited with a 226signal.) The command itself runs with 227.Em stdout 228and 229.Em stderr 230redirected to 231.Pa /dev/null . 232Upon receipt of a 233.Dv SIGHUP , 234.Nm 235will close the pipe to the process. If the process didn't exit 236voluntarily, it will be sent a 237.Dv SIGTERM 238signal after a grace period of up to 60 seconds. 239.Pp 240The command will only be started once data arrives that should be piped 241to it. If it exited later, it will be restarted as necessary. So if it 242is desired that the subprocess should get exactly one line of input only 243(which can be very resource-consuming if there are a lot of messages 244flowing quickly), this can be achieved by exiting after just one line of 245input. If necessary, a script wrapper can be written to this effect. 246.Pp 247Unless the command is a full pipeline, it's probably useful to 248start the command with 249.Em exec 250so that the invoking shell process does not wait for the command to 251complete. Warning: the process is started under the UID invoking 252.Xr syslogd 8 , 253normally the superuser. 254.El 255.Pp 256Blank lines and lines whose first non-blank character is a hash 257.Pq Dq # 258character are ignored. 259.Sh EXAMPLES 260.Pp 261A configuration file might appear as follows: 262.Bd -literal 263# Log all kernel messages, authentication messages of 264# level notice or higher and anything of level err or 265# higher to the console. 266# Don't log private authentication messages! 267*.err;kern.*;auth.notice;authpriv.none /dev/console 268 269# Log anything (except mail) of level info or higher. 270# Don't log private authentication messages! 271*.info;mail.none;authpriv.none /var/log/messages 272 273# The authpriv file has restricted access. 274authpriv.* /var/log/secure 275 276# Log all the mail messages in one place. 277mail.* /var/log/maillog 278 279# Everybody gets emergency messages, plus log them on another 280# machine. 281*.emerg * 282*.emerg @arpa.berkeley.edu 283 284# Root and Eric get alert and higher messages. 285*.alert root,eric 286 287# Save mail and news errors of level err and higher in a 288# special file. 289uucp,news.crit /var/log/spoolerr 290 291# Pipe all authentication messages to a filter. 292auth.* |exec /usr/local/sbin/authfilter 293 294# Save ftpd transactions along with mail and news 295!ftpd 296*.* /var/log/spoolerr 297.Ed 298.Sh FILES 299.Bl -tag -width /etc/syslog.conf -compact 300.It Pa /etc/syslog.conf 301The 302.Xr syslogd 8 303configuration file. 304.El 305.Sh BUGS 306The effects of multiple selectors are sometimes not intuitive. 307For example 308.Dq mail.crit,*.err 309will select 310.Dq mail 311facility messages at the level of 312.Dq err 313or higher, not at the level of 314.Dq crit 315or higher. 316.Pp 317In networked environments, note that not all operating systems 318implement the same set of facilities. The facilities 319authpriv, cron, ftp, and ntp that are known to this implementation 320might be absent on the target system. Even worse, DEC UNIX uses 321facility number 10 (which is authpriv in this implementation) to 322log events for their AdvFS file system. 323.Sh SEE ALSO 324.Xr syslog 3 , 325.Xr syslogd 8 326