1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 4. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $FreeBSD$ 30.\" 31.Dd November 1, 2016 32.Dt SYSLOG.CONF 5 33.Os 34.Sh NAME 35.Nm syslog.conf 36.Nd 37.Xr syslogd 8 38configuration file 39.Sh DESCRIPTION 40The 41.Nm 42file is the configuration file for the 43.Xr syslogd 8 44program. 45It consists of 46blocks of lines separated by 47.Em program 48and 49.Em hostname 50specifications (separations appear alone on their lines), 51with each line containing two fields: the 52.Em selector 53field which specifies the types of messages and priorities to which the 54line applies, and an 55.Em action 56field which specifies the action to be taken if a message 57.Xr syslogd 8 58receives matches the selection criteria. 59The 60.Em selector 61field is separated from the 62.Em action 63field by one or more tab characters or spaces. 64.Pp 65A special 66.Em include 67keyword can be used to include all files with names ending in '.conf' and not 68beginning with a '.' contained in the directory following the keyword. 69This keyword can only be used in the first level configuration file. 70.Pp 71Note that if you use spaces as separators, your 72.Nm 73might be incompatible with other Unices or Unix-like systems. 74This functionality was added for ease of configuration 75(e.g.\& it is possible to cut-and-paste into 76.Nm ) , 77and to avoid possible mistakes. 78This change however preserves 79backwards compatibility with the old style of 80.Nm 81(i.e., tab characters only). 82.Pp 83The 84.Em selectors 85are encoded as a 86.Em facility , 87a period 88.Pq Dq \&. , 89an optional set of comparison flags 90.Pq Oo \&! Oc Op <=> , 91and a 92.Em level , 93with no intervening white-space. 94Both the 95.Em facility 96and the 97.Em level 98are case insensitive. 99.Pp 100The 101.Em facility 102describes the part of the system generating the message, and is one of 103the following keywords: 104.Cm auth , authpriv , console , cron , daemon , ftp , kern , lpr , 105.Cm mail , mark , news , ntp , security , syslog , user , uucp , 106and 107.Cm local0 108through 109.Cm local7 . 110These keywords (with the exception of mark) correspond to 111similar 112.Dq Dv LOG_ 113values specified to the 114.Xr openlog 3 115and 116.Xr syslog 3 117library routines. 118.Pp 119The 120.Em comparison flags 121may be used to specify exactly what is logged. 122The default comparison is 123.Dq => 124(or, if you prefer, 125.Dq >= ) , 126which means that messages from the specified 127.Em facility 128list, and of a priority 129level equal to or greater than 130.Em level 131will be logged. 132Comparison flags beginning with 133.Dq Li \&! 134will have their logical sense inverted. 135Thus 136.Dq !=info 137means all levels except info and 138.Dq !notice 139has the same meaning as 140.Dq <notice . 141.Pp 142The 143.Em level 144describes the severity of the message, and is a keyword from the 145following ordered list (higher to lower): 146.Cm emerg , crit , alert , err , warning , notice , info 147and 148.Cm debug . 149These keywords correspond to 150similar 151.Dq Dv LOG_ 152values specified to the 153.Xr syslog 3 154library routine. 155.Pp 156Each block of lines is separated from the previous block by a 157.Em program 158or 159.Em hostname 160specification. 161A block will only log messages corresponding to the most recent 162.Em program 163and 164.Em hostname 165specifications given. 166Thus, with a block which selects 167.Ql ppp 168as the 169.Em program , 170directly followed by a block that selects messages from the 171.Em hostname 172.Ql dialhost , 173the second block will only log messages 174from the 175.Xr ppp 8 176program on dialhost. 177.Pp 178A 179.Em program 180specification is a line beginning with 181.Ql #!prog 182or 183.Ql !prog 184(the former is for compatibility with the previous syslogd, if one is sharing 185.Nm 186files, for example) 187and the following blocks will be associated with calls to 188.Xr syslog 3 189from that specific program. 190A 191.Em program 192specification for 193.Ql foo 194will also match any message logged by the kernel with the prefix 195.Ql "foo: " . 196The 197.Ql #!+prog 198or 199.Ql !+prog 200specification works just like the previous one, 201and the 202.Ql #!-prog 203or 204.Ql !-prog 205specification will match any message but the ones from that 206program. 207Multiple programs may be listed, separated by commas: 208.Ql !prog1,prog2 209matches messages from either program, while 210.Ql !-prog1,prog2 211matches all messages but those from 212.Ql prog1 213or 214.Ql prog2 . 215.Pp 216A 217.Em hostname 218specification of the form 219.Ql #+hostname 220or 221.Ql +hostname 222means the following blocks will be applied to messages 223received from the specified hostname. 224Alternatively, the 225.Em hostname 226specification 227.Ql #-hostname 228or 229.Ql -hostname 230causes the following blocks to be applied to messages 231from any host but the one specified. 232If the hostname is given as 233.Ql @ , 234the local hostname will be used. 235As for program specifications, multiple comma-separated 236values may be specified for hostname specifications. 237.Pp 238A 239.Em program 240or 241.Em hostname 242specification may be reset by giving the program or hostname as 243.Ql * . 244.Pp 245See 246.Xr syslog 3 247for further descriptions of both the 248.Em facility 249and 250.Em level 251keywords and their significance. 252It is preferred that selections be made on 253.Em facility 254rather than 255.Em program , 256since the latter can easily vary in a networked environment. 257In some cases, 258though, an appropriate 259.Em facility 260simply does not exist. 261.Pp 262If a received message matches the specified 263.Em facility 264and is of the specified 265.Em level 266.Em (or a higher level) , 267and the first word in the message after the date matches the 268.Em program , 269the action specified in the 270.Em action 271field will be taken. 272.Pp 273Multiple 274.Em selectors 275may be specified for a single 276.Em action 277by separating them with semicolon 278.Pq Dq \&; 279characters. 280It is important to note, however, that each 281.Em selector 282can modify the ones preceding it. 283.Pp 284Multiple 285.Em facilities 286may be specified for a single 287.Em level 288by separating them with comma 289.Pq Dq \&, 290characters. 291.Pp 292An asterisk 293.Pq Dq * 294can be used to specify all 295.Em facilities , 296all 297.Em levels , 298or all 299.Em programs . 300.Pp 301The special 302.Em facility 303.Dq mark 304receives a message at priority 305.Dq info 306every 20 minutes 307(see 308.Xr syslogd 8 ) . 309This is not enabled by a 310.Em facility 311field containing an asterisk. 312.Pp 313The special 314.Em level 315.Dq none 316disables a particular 317.Em facility . 318.Pp 319The 320.Em action 321field of each line specifies the action to be taken when the 322.Em selector 323field selects a message. 324There are five forms: 325.Bl -bullet 326.It 327A pathname (beginning with a leading slash). 328Selected messages are appended to the file. 329.Pp 330To ensure that kernel messages are written to disk promptly, 331.Nm 332calls 333.Xr fsync 2 334after writing messages from the kernel. 335Other messages are not synced explicitly. 336You may prefix a pathname with the minus sign, 337.Dq - , 338to forego syncing the specified file after every kernel message. 339Note that you might lose information if the system crashes 340immediately following a write attempt. 341Nevertheless, using the 342.Dq - 343option may improve performance, 344especially if the kernel is logging many messages. 345.It 346A hostname (preceded by an at 347.Pq Dq @ 348sign). 349Selected messages are forwarded to the 350.Xr syslogd 8 351program on the named host. 352If a port number is added after a colon 353.Pq Ql :\& 354then that port will be used as the destination port 355rather than the usual syslog port. 356IPv6 addresses can be used 357by surrounding the address portion with 358square brackets 359.Po 360.Ql [\& 361and 362.Ql ]\& 363.Pc . 364.It 365A comma separated list of users. 366Selected messages are written to those users 367if they are logged in. 368.It 369An asterisk. 370Selected messages are written to all logged-in users. 371.It 372A vertical bar 373.Pq Dq \&| , 374followed by a command to pipe the selected 375messages to. 376The command is passed to 377.Xr sh 1 378for evaluation, so usual shell metacharacters or input/output 379redirection can occur. 380(Note however that redirecting 381.Xr stdio 3 382buffered output from the invoked command can cause additional delays, 383or even lost output data in case a logging subprocess exited with a 384signal.) 385The command itself runs with 386.Em stdout 387and 388.Em stderr 389redirected to 390.Pa /dev/null . 391Upon receipt of a 392.Dv SIGHUP , 393.Xr syslogd 8 394will close the pipe to the process. 395If the process did not exit 396voluntarily, it will be sent a 397.Dv SIGTERM 398signal after a grace period of up to 60 seconds. 399.Pp 400The command will only be started once data arrives that should be piped 401to it. 402If it exited later, it will be restarted as necessary. 403So if it 404is desired that the subprocess should get exactly one line of input only 405(which can be very resource-consuming if there are a lot of messages 406flowing quickly), this can be achieved by exiting after just one line of 407input. 408If necessary, a script wrapper can be written to this effect. 409.Pp 410Unless the command is a full pipeline, it is probably useful to 411start the command with 412.Em exec 413so that the invoking shell process does not wait for the command to 414complete. 415Warning: the process is started under the UID invoking 416.Xr syslogd 8 , 417normally the superuser. 418.El 419.Pp 420Blank lines and lines whose first non-blank character is a hash 421.Pq Dq # 422character are ignored. 423If 424.Ql # 425is placed in the middle of the line, the 426.Ql # 427character and the rest of the line after it is ignored. 428To prevent special meaning, the 429.Ql # 430character may be escaped with 431.Ql \e ; 432in this case preceding 433.Ql \e 434is removed and 435.Ql # 436is treated as an ordinary character. 437.Sh IMPLEMENTATION NOTES 438The 439.Dq kern 440facility is usually reserved for messages 441generated by the local kernel. 442Other messages logged with facility 443.Dq kern 444are usually translated to facility 445.Dq user . 446This translation can be disabled; 447see 448.Xr syslogd 8 449for details. 450.Sh FILES 451.Bl -tag -width /etc/syslog.conf -compact 452.It Pa /etc/syslog.conf 453.Xr syslogd 8 454configuration file 455.El 456.Sh EXAMPLES 457A configuration file might appear as follows: 458.Bd -literal 459# Log all kernel messages, authentication messages of 460# level notice or higher, and anything of level err or 461# higher to the console. 462# Don't log private authentication messages! 463*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console 464 465# Log anything (except mail) of level info or higher. 466# Don't log private authentication messages! 467*.info;mail.none;authpriv.none /var/log/messages 468 469# Log daemon messages at debug level only 470daemon.=debug /var/log/daemon.debug 471 472# The authpriv file has restricted access. 473authpriv.* /var/log/secure 474 475# Log all the mail messages in one place. 476mail.* /var/log/maillog 477 478# Everybody gets emergency messages, plus log them on another 479# machine. 480*.emerg * 481*.emerg @arpa.berkeley.edu 482 483# Root and Eric get alert and higher messages. 484*.alert root,eric 485 486# Save mail and news errors of level err and higher in a 487# special file. 488uucp,news.crit /var/log/spoolerr 489 490# Pipe all authentication messages to a filter. 491auth.* |exec /usr/local/sbin/authfilter 492 493# Log all security messages to a separate file. 494security.* /var/log/security 495 496# Log all writes to /dev/console to a separate file. 497console.* /var/log/console.log 498 499# Save ftpd transactions along with mail and news 500!ftpd 501*.* /var/log/spoolerr 502 503# Log ipfw messages without syncing after every message. 504!ipfw 505*.* -/var/log/ipfw 506.Ed 507.Sh SEE ALSO 508.Xr syslog 3 , 509.Xr syslogd 8 510.Sh BUGS 511The effects of multiple 512.Em selectors 513are sometimes not intuitive. 514For example 515.Dq mail.crit,*.err 516will select 517.Dq mail 518facility messages at the level of 519.Dq err 520or higher, not at the level of 521.Dq crit 522or higher. 523.Pp 524In networked environments, note that not all operating systems 525implement the same set of facilities. 526The facilities 527authpriv, cron, ftp, and ntp that are known to this implementation 528might be absent on the target system. 529Even worse, DEC UNIX uses 530facility number 10 (which is authpriv in this implementation) to 531log events for their AdvFS file system. 532