1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 4. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $FreeBSD$ 30.\" 31.Dd September 12, 2012 32.Dt SYSLOG.CONF 5 33.Os 34.Sh NAME 35.Nm syslog.conf 36.Nd 37.Xr syslogd 8 38configuration file 39.Sh DESCRIPTION 40The 41.Nm 42file is the configuration file for the 43.Xr syslogd 8 44program. 45It consists of 46blocks of lines separated by 47.Em program 48and 49.Em hostname 50specifications (separations appear alone on their lines), 51with each line containing two fields: the 52.Em selector 53field which specifies the types of messages and priorities to which the 54line applies, and an 55.Em action 56field which specifies the action to be taken if a message 57.Xr syslogd 8 58receives matches the selection criteria. 59The 60.Em selector 61field is separated from the 62.Em action 63field by one or more tab characters or spaces. 64.Pp 65Note that if you use spaces as separators, your 66.Nm 67might be incompatible with other Unices or Unix-like systems. 68This functionality was added for ease of configuration 69(e.g.\& it is possible to cut-and-paste into 70.Nm ) , 71and to avoid possible mistakes. 72This change however preserves 73backwards compatibility with the old style of 74.Nm 75(i.e., tab characters only). 76.Pp 77The 78.Em selectors 79are encoded as a 80.Em facility , 81a period 82.Pq Dq \&. , 83an optional set of comparison flags 84.Pq Oo \&! Oc Op <=> , 85and a 86.Em level , 87with no intervening white-space. 88Both the 89.Em facility 90and the 91.Em level 92are case insensitive. 93.Pp 94The 95.Em facility 96describes the part of the system generating the message, and is one of 97the following keywords: 98.Cm auth , authpriv , console , cron , daemon , ftp , kern , lpr , 99.Cm mail , mark , news , ntp , security , syslog , user , uucp , 100and 101.Cm local0 102through 103.Cm local7 . 104These keywords (with the exception of mark) correspond to 105similar 106.Dq Dv LOG_ 107values specified to the 108.Xr openlog 3 109and 110.Xr syslog 3 111library routines. 112.Pp 113The 114.Em comparison flags 115may be used to specify exactly what is logged. 116The default comparison is 117.Dq => 118(or, if you prefer, 119.Dq >= ) , 120which means that messages from the specified 121.Em facility 122list, and of a priority 123level equal to or greater than 124.Em level 125will be logged. 126Comparison flags beginning with 127.Dq Li \&! 128will have their logical sense inverted. 129Thus 130.Dq !=info 131means all levels except info and 132.Dq !notice 133has the same meaning as 134.Dq <notice . 135.Pp 136The 137.Em level 138describes the severity of the message, and is a keyword from the 139following ordered list (higher to lower): 140.Cm emerg , crit , alert , err , warning , notice , info 141and 142.Cm debug . 143These keywords correspond to 144similar 145.Dq Dv LOG_ 146values specified to the 147.Xr syslog 3 148library routine. 149.Pp 150Each block of lines is separated from the previous block by a 151.Em program 152or 153.Em hostname 154specification. 155A block will only log messages corresponding to the most recent 156.Em program 157and 158.Em hostname 159specifications given. 160Thus, with a block which selects 161.Ql ppp 162as the 163.Em program , 164directly followed by a block that selects messages from the 165.Em hostname 166.Ql dialhost , 167the second block will only log messages 168from the 169.Xr ppp 8 170program on dialhost. 171.Pp 172A 173.Em program 174specification is a line beginning with 175.Ql #!prog 176or 177.Ql !prog 178(the former is for compatibility with the previous syslogd, if one is sharing 179.Nm 180files, for example) 181and the following blocks will be associated with calls to 182.Xr syslog 3 183from that specific program. 184A 185.Em program 186specification for 187.Ql foo 188will also match any message logged by the kernel with the prefix 189.Ql "foo: " . 190The 191.Ql #!+prog 192or 193.Ql !+prog 194specification works just like the previous one, 195and the 196.Ql #!-prog 197or 198.Ql !-prog 199specification will match any message but the ones from that 200program. 201Multiple programs may be listed, separated by commas: 202.Ql !prog1,prog2 203matches messages from either program, while 204.Ql !-prog1,prog2 205matches all messages but those from 206.Ql prog1 207or 208.Ql prog2 . 209.Pp 210A 211.Em hostname 212specification of the form 213.Ql #+hostname 214or 215.Ql +hostname 216means the following blocks will be applied to messages 217received from the specified hostname. 218Alternatively, the 219.Em hostname 220specification 221.Ql #-hostname 222or 223.Ql -hostname 224causes the following blocks to be applied to messages 225from any host but the one specified. 226If the hostname is given as 227.Ql @ , 228the local hostname will be used. 229As for program specifications, multiple comma-separated 230values may be specified for hostname specifications. 231.Pp 232A 233.Em program 234or 235.Em hostname 236specification may be reset by giving the program or hostname as 237.Ql * . 238.Pp 239See 240.Xr syslog 3 241for further descriptions of both the 242.Em facility 243and 244.Em level 245keywords and their significance. 246It is preferred that selections be made on 247.Em facility 248rather than 249.Em program , 250since the latter can easily vary in a networked environment. 251In some cases, 252though, an appropriate 253.Em facility 254simply does not exist. 255.Pp 256If a received message matches the specified 257.Em facility 258and is of the specified 259.Em level 260.Em (or a higher level) , 261and the first word in the message after the date matches the 262.Em program , 263the action specified in the 264.Em action 265field will be taken. 266.Pp 267Multiple 268.Em selectors 269may be specified for a single 270.Em action 271by separating them with semicolon 272.Pq Dq \&; 273characters. 274It is important to note, however, that each 275.Em selector 276can modify the ones preceding it. 277.Pp 278Multiple 279.Em facilities 280may be specified for a single 281.Em level 282by separating them with comma 283.Pq Dq \&, 284characters. 285.Pp 286An asterisk 287.Pq Dq * 288can be used to specify all 289.Em facilities , 290all 291.Em levels , 292or all 293.Em programs . 294.Pp 295The special 296.Em facility 297.Dq mark 298receives a message at priority 299.Dq info 300every 20 minutes 301(see 302.Xr syslogd 8 ) . 303This is not enabled by a 304.Em facility 305field containing an asterisk. 306.Pp 307The special 308.Em level 309.Dq none 310disables a particular 311.Em facility . 312.Pp 313The 314.Em action 315field of each line specifies the action to be taken when the 316.Em selector 317field selects a message. 318There are five forms: 319.Bl -bullet 320.It 321A pathname (beginning with a leading slash). 322Selected messages are appended to the file. 323.Pp 324To ensure that kernel messages are written to disk promptly, 325.Nm 326calls 327.Xr fsync 2 328after writing messages from the kernel. 329Other messages are not synced explicitly. 330You may prefix a pathname with the minus sign, 331.Dq - , 332to forego syncing the specified file after every kernel message. 333Note that you might lose information if the system crashes 334immediately following a write attempt. 335Nevertheless, using the 336.Dq - 337option may improve performance, 338especially if the kernel is logging many messages. 339.It 340A hostname (preceded by an at 341.Pq Dq @ 342sign). 343Selected messages are forwarded to the 344.Xr syslogd 8 345program on the named host. 346If a port number is added after a colon 347.Pq Ql :\& 348then that port will be used as the destination port 349rather than the usual syslog port. 350IPv6 addresses can be used 351by surrounding the address portion with 352square brackets 353.Po 354.Ql [\& 355and 356.Ql ]\& 357.Pc . 358.It 359A comma separated list of users. 360Selected messages are written to those users 361if they are logged in. 362.It 363An asterisk. 364Selected messages are written to all logged-in users. 365.It 366A vertical bar 367.Pq Dq \&| , 368followed by a command to pipe the selected 369messages to. 370The command is passed to 371.Xr sh 1 372for evaluation, so usual shell metacharacters or input/output 373redirection can occur. 374(Note however that redirecting 375.Xr stdio 3 376buffered output from the invoked command can cause additional delays, 377or even lost output data in case a logging subprocess exited with a 378signal.) 379The command itself runs with 380.Em stdout 381and 382.Em stderr 383redirected to 384.Pa /dev/null . 385Upon receipt of a 386.Dv SIGHUP , 387.Xr syslogd 8 388will close the pipe to the process. 389If the process did not exit 390voluntarily, it will be sent a 391.Dv SIGTERM 392signal after a grace period of up to 60 seconds. 393.Pp 394The command will only be started once data arrives that should be piped 395to it. 396If it exited later, it will be restarted as necessary. 397So if it 398is desired that the subprocess should get exactly one line of input only 399(which can be very resource-consuming if there are a lot of messages 400flowing quickly), this can be achieved by exiting after just one line of 401input. 402If necessary, a script wrapper can be written to this effect. 403.Pp 404Unless the command is a full pipeline, it is probably useful to 405start the command with 406.Em exec 407so that the invoking shell process does not wait for the command to 408complete. 409Warning: the process is started under the UID invoking 410.Xr syslogd 8 , 411normally the superuser. 412.El 413.Pp 414Blank lines and lines whose first non-blank character is a hash 415.Pq Dq # 416character are ignored. 417If 418.Ql # 419is placed in the middle of the line, the 420.Ql # 421character and the rest of the line after it is ignored. 422To prevent special meaning, the 423.Ql # 424character may be escaped with 425.Ql \e ; 426in this case preceding 427.Ql \e 428is removed and 429.Ql # 430is treated as an ordinary character. 431.Sh IMPLEMENTATION NOTES 432The 433.Dq kern 434facility is usually reserved for messages 435generated by the local kernel. 436Other messages logged with facility 437.Dq kern 438are usually translated to facility 439.Dq user . 440This translation can be disabled; 441see 442.Xr syslogd 8 443for details. 444.Sh FILES 445.Bl -tag -width /etc/syslog.conf -compact 446.It Pa /etc/syslog.conf 447.Xr syslogd 8 448configuration file 449.El 450.Sh EXAMPLES 451A configuration file might appear as follows: 452.Bd -literal 453# Log all kernel messages, authentication messages of 454# level notice or higher, and anything of level err or 455# higher to the console. 456# Don't log private authentication messages! 457*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console 458 459# Log anything (except mail) of level info or higher. 460# Don't log private authentication messages! 461*.info;mail.none;authpriv.none /var/log/messages 462 463# Log daemon messages at debug level only 464daemon.=debug /var/log/daemon.debug 465 466# The authpriv file has restricted access. 467authpriv.* /var/log/secure 468 469# Log all the mail messages in one place. 470mail.* /var/log/maillog 471 472# Everybody gets emergency messages, plus log them on another 473# machine. 474*.emerg * 475*.emerg @arpa.berkeley.edu 476 477# Root and Eric get alert and higher messages. 478*.alert root,eric 479 480# Save mail and news errors of level err and higher in a 481# special file. 482uucp,news.crit /var/log/spoolerr 483 484# Pipe all authentication messages to a filter. 485auth.* |exec /usr/local/sbin/authfilter 486 487# Log all security messages to a separate file. 488security.* /var/log/security 489 490# Log all writes to /dev/console to a separate file. 491console.* /var/log/console.log 492 493# Save ftpd transactions along with mail and news 494!ftpd 495*.* /var/log/spoolerr 496 497# Log ipfw messages without syncing after every message. 498!ipfw 499*.* -/var/log/ipfw 500.Ed 501.Sh SEE ALSO 502.Xr syslog 3 , 503.Xr syslogd 8 504.Sh BUGS 505The effects of multiple 506.Em selectors 507are sometimes not intuitive. 508For example 509.Dq mail.crit,*.err 510will select 511.Dq mail 512facility messages at the level of 513.Dq err 514or higher, not at the level of 515.Dq crit 516or higher. 517.Pp 518In networked environments, note that not all operating systems 519implement the same set of facilities. 520The facilities 521authpriv, cron, ftp, and ntp that are known to this implementation 522might be absent on the target system. 523Even worse, DEC UNIX uses 524facility number 10 (which is authpriv in this implementation) to 525log events for their AdvFS file system. 526