1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 33.\" $FreeBSD$ 34.\" 35.Dd June 9, 1993 36.Dt SYSLOG.CONF 5 37.Os 38.Sh NAME 39.Nm syslog.conf 40.Nd 41.Xr syslogd 8 42configuration file 43.Sh DESCRIPTION 44The 45.Nm 46file is the configuration file for the 47.Xr syslogd 8 48program. 49It consists of 50blocks of lines separated by 51.Em program 52and 53.Em hostname 54specifications (separations appear along on the line), 55with each line containing two fields: the 56.Em selector 57field which specifies the types of messages and priorities to which the 58line applies, and an 59.Em action 60field which specifies the action to be taken if a message 61.Xr syslogd 8 62receives matches the selection criteria. 63The 64.Em selector 65field is separated from the 66.Em action 67field by one or more tab characters or spaces. 68.Pp 69Note that if you use spaces as separators, your 70.Nm 71might be incompatible with other Unices or Unix-like systems. 72This functionality was added for ease of configuration 73(e.g.\& it is possible to cut-and-paste into 74.Nm ) , 75and to avoid possible mistakes. 76This change however preserves 77backwards compatibility with the old style of 78.Nm 79(i.e., tab characters only). 80.Pp 81The 82.Em selectors 83are encoded as a 84.Em facility , 85a period 86.Pq Dq \&. , 87an optional set of comparison flags 88.Pq Oo \&! Oc Op <=> , 89and a 90.Em level , 91with no intervening white-space. 92Both the 93.Em facility 94and the 95.Em level 96are case insensitive. 97.Pp 98The 99.Em facility 100describes the part of the system generating the message, and is one of 101the following keywords: auth, authpriv, console, cron, daemon, ftp, kern, 102lpr, mail, mark, news, ntp, security, syslog, user, uucp and local0 through 103local7. 104These keywords (with the exception of mark) correspond to 105similar 106.Dq Dv LOG_ 107values specified to the 108.Xr openlog 3 109and 110.Xr syslog 3 111library routines. 112.Pp 113The 114.Em comparison flags 115may be used to specify exactly what is logged. 116The default comparison is 117.Dq => 118(or, if you prefer, 119.Dq >= ) , 120which means that messages from the specified 121.Em facility 122list, and of a priority 123level equal to or greater than 124.Em level 125will be logged. 126Comparison flags beginning with 127.Dq Li \&! 128will have their logical sense inverted. 129Thus 130.Dq !=info 131means all levels except info and 132.Dq !notice 133has the same meaning as 134.Dq <notice . 135.Pp 136The 137.Em level 138describes the severity of the message, and is a keyword from the 139following ordered list (higher to lower): emerg, alert, crit, err, 140warning, notice, info and debug. 141These keywords correspond to 142similar 143.Dq Dv LOG_ 144values specified to the 145.Xr syslog 3 146library routine. 147.Pp 148Each block of lines is separated from the previous block by a 149.Em program 150or 151.Em hostname 152specification. 153A block will only log messages corresponding to the most recent 154.Em program 155and 156.Em hostname 157specifications given. 158Thus, with a block which selects 159.Ql ppp 160as the 161.Em program , 162directly followed by a block that selects messages from the 163.Em hostname 164.Ql dialhost , 165the second block will only log messages 166from the 167.Xr ppp 8 168program on dialhost. 169.Pp 170A 171.Em program 172specification is a line beginning with 173.Ql #!prog 174or 175.Ql !prog 176(the former is for compatibility with the previous syslogd, if one is sharing 177.Nm 178files, for example) 179and the following blocks will be associated with calls to 180.Xr syslog 3 181from that specific program. 182A 183.Em program 184specification for 185.Ql foo 186will also match any message logged by the kernel with the prefix 187.Ql "foo: " . 188The 189.Ql #!+prog 190or 191.Ql !+prog 192specification works just like the previous one, 193and the 194.Ql #!-prog 195or 196.Ql !-prog 197specification will match any message but the ones from that 198program. 199Multiple programs may be listed, separated by commas: 200.Ql !prog1,prog2 201matches messages from either program, while 202.Ql !-prog1,prog2 203matches all messages but those from 204.Ql prog1 205or 206.Ql prog2 . 207.Pp 208A 209.Em hostname 210specification of the form 211.Ql #+hostname 212or 213.Ql +hostname 214means the following blocks will be applied to messages 215received from the specified hostname. 216Alternatively, the 217.Em hostname 218specification 219.Ql #-hostname 220or 221.Ql -hostname 222causes the following blocks to be applied to messages 223from any host but the one specified. 224If the hostname is given as 225.Ql @ , 226the local hostname will be used. 227As for program specifications, multiple comma-seprarated 228values may be specified for hostname specifications. 229.Pp 230A 231.Em program 232or 233.Em hostname 234specification may be reset by giving the program or hostname as 235.Ql * . 236.Pp 237See 238.Xr syslog 3 239for further descriptions of both the 240.Em facility 241and 242.Em level 243keywords and their significance. 244It's preferred that selections be made on 245.Em facility 246rather than 247.Em program , 248since the latter can easily vary in a networked environment. 249In some cases, 250though, an appropriate 251.Em facility 252simply doesn't exist. 253.Pp 254If a received message matches the specified 255.Em facility 256and is of the specified 257.Em level 258.Em (or a higher level) , 259and the first word in the message after the date matches the 260.Em program , 261the action specified in the 262.Em action 263field will be taken. 264.Pp 265Multiple 266.Em selectors 267may be specified for a single 268.Em action 269by separating them with semicolon 270.Pq Dq \&; 271characters. 272It is important to note, however, that each 273.Em selector 274can modify the ones preceding it. 275.Pp 276Multiple 277.Em facilities 278may be specified for a single 279.Em level 280by separating them with comma 281.Pq Dq \&, 282characters. 283.Pp 284An asterisk 285.Pq Dq * 286can be used to specify all 287.Em facilities , 288all 289.Em levels , 290or all 291.Em programs . 292.Pp 293The special 294.Em facility 295.Dq mark 296receives a message at priority 297.Dq info 298every 20 minutes 299(see 300.Xr syslogd 8 ) . 301This is not enabled by a 302.Em facility 303field containing an asterisk. 304.Pp 305The special 306.Em level 307.Dq none 308disables a particular 309.Em facility . 310.Pp 311The 312.Em action 313field of each line specifies the action to be taken when the 314.Em selector 315field selects a message. 316There are five forms: 317.Bl -bullet 318.It 319A pathname (beginning with a leading slash). 320Selected messages are appended to the file. 321.Pp 322To ensure that kernel messages are written to disk promptly, 323.Nm 324calls 325.Xr fsync 2 326after writing messages from the kernel. 327Other messages are not synced explicitly. 328You may prefix a pathname with the minus sign, 329.Dq - , 330to forego syncing the specified file after every kernel message. 331Note that you might lose information if the system crashes 332immediately following a write attempt. 333Nevertheless, using the 334.Dq - 335option may improve performance, 336especially if the kernel is logging many messages. 337.It 338A hostname (preceded by an at 339.Pq Dq @ 340sign). 341Selected messages are forwarded to the 342.Xr syslogd 8 343program on the named host. 344.It 345A comma separated list of users. 346Selected messages are written to those users 347if they are logged in. 348.It 349An asterisk. 350Selected messages are written to all logged-in users. 351.It 352A vertical bar 353.Pq Dq \&| , 354followed by a command to pipe the selected 355messages to. 356The command is passed to 357.Xr sh 1 358for evaluation, so usual shell metacharacters or input/output 359redirection can occur. 360(Note however that redirecting 361.Xr stdio 3 362buffered output from the invoked command can cause additional delays, 363or even lost output data in case a logging subprocess exited with a 364signal.) 365The command itself runs with 366.Em stdout 367and 368.Em stderr 369redirected to 370.Pa /dev/null . 371Upon receipt of a 372.Dv SIGHUP , 373.Xr syslogd 8 374will close the pipe to the process. 375If the process didn't exit 376voluntarily, it will be sent a 377.Dv SIGTERM 378signal after a grace period of up to 60 seconds. 379.Pp 380The command will only be started once data arrives that should be piped 381to it. 382If it exited later, it will be restarted as necessary. 383So if it 384is desired that the subprocess should get exactly one line of input only 385(which can be very resource-consuming if there are a lot of messages 386flowing quickly), this can be achieved by exiting after just one line of 387input. 388If necessary, a script wrapper can be written to this effect. 389.Pp 390Unless the command is a full pipeline, it's probably useful to 391start the command with 392.Em exec 393so that the invoking shell process does not wait for the command to 394complete. 395Warning: the process is started under the UID invoking 396.Xr syslogd 8 , 397normally the superuser. 398.El 399.Pp 400Blank lines and lines whose first non-blank character is a hash 401.Pq Dq # 402character are ignored. 403.Sh EXAMPLES 404A configuration file might appear as follows: 405.Bd -literal 406# Log all kernel messages, authentication messages of 407# level notice or higher, and anything of level err or 408# higher to the console. 409# Don't log private authentication messages! 410*.err;kern.*;auth.notice;authpriv.none /dev/console 411 412# Log anything (except mail) of level info or higher. 413# Don't log private authentication messages! 414*.info;mail.none;authpriv.none /var/log/messages 415 416# Log daemon messages at debug level only 417daemon.=debug /var/log/daemon.debug 418 419# The authpriv file has restricted access. 420authpriv.* /var/log/secure 421 422# Log all the mail messages in one place. 423mail.* /var/log/maillog 424 425# Everybody gets emergency messages, plus log them on another 426# machine. 427*.emerg * 428*.emerg @arpa.berkeley.edu 429 430# Root and Eric get alert and higher messages. 431*.alert root,eric 432 433# Save mail and news errors of level err and higher in a 434# special file. 435uucp,news.crit /var/log/spoolerr 436 437# Pipe all authentication messages to a filter. 438auth.* |exec /usr/local/sbin/authfilter 439 440# Save ftpd transactions along with mail and news 441!ftpd 442*.* /var/log/spoolerr 443 444# Log all security messages to a separate file. 445security.* /var/log/security 446 447# Log all writes to /dev/console to a separate file. 448console.* /var/log/console.log 449 450# Log ipfw messages without syncing after every message. 451!ipfw 452*.* -/var/log/ipfw 453.Ed 454.Sh IMPLEMENTATION NOTES 455The 456.Dq kern 457facility is usually reserved for messages 458generated by the local kernel. 459Other messages logged with facility 460.Dq kern 461are usually translated to facility 462.Dq user . 463This translation can be disabled; 464see 465.Xr syslogd 8 466for details. 467.Sh FILES 468.Bl -tag -width /etc/syslog.conf -compact 469.It Pa /etc/syslog.conf 470.Xr syslogd 8 471configuration file 472.El 473.Sh BUGS 474The effects of multiple 475.Em selectors 476are sometimes not intuitive. 477For example 478.Dq mail.crit,*.err 479will select 480.Dq mail 481facility messages at the level of 482.Dq err 483or higher, not at the level of 484.Dq crit 485or higher. 486.Pp 487In networked environments, note that not all operating systems 488implement the same set of facilities. 489The facilities 490authpriv, cron, ftp, and ntp that are known to this implementation 491might be absent on the target system. 492Even worse, DEC UNIX uses 493facility number 10 (which is authpriv in this implementation) to 494log events for their AdvFS file system. 495.Sh SEE ALSO 496.Xr syslog 3 , 497.Xr syslogd 8 498