1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 4. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $FreeBSD$ 30.\" 31.Dd June 9, 1993 32.Dt SYSLOG.CONF 5 33.Os 34.Sh NAME 35.Nm syslog.conf 36.Nd 37.Xr syslogd 8 38configuration file 39.Sh DESCRIPTION 40The 41.Nm 42file is the configuration file for the 43.Xr syslogd 8 44program. 45It consists of 46blocks of lines separated by 47.Em program 48and 49.Em hostname 50specifications (separations appear alone on their lines), 51with each line containing two fields: the 52.Em selector 53field which specifies the types of messages and priorities to which the 54line applies, and an 55.Em action 56field which specifies the action to be taken if a message 57.Xr syslogd 8 58receives matches the selection criteria. 59The 60.Em selector 61field is separated from the 62.Em action 63field by one or more tab characters or spaces. 64.Pp 65Note that if you use spaces as separators, your 66.Nm 67might be incompatible with other Unices or Unix-like systems. 68This functionality was added for ease of configuration 69(e.g.\& it is possible to cut-and-paste into 70.Nm ) , 71and to avoid possible mistakes. 72This change however preserves 73backwards compatibility with the old style of 74.Nm 75(i.e., tab characters only). 76.Pp 77The 78.Em selectors 79are encoded as a 80.Em facility , 81a period 82.Pq Dq \&. , 83an optional set of comparison flags 84.Pq Oo \&! Oc Op <=> , 85and a 86.Em level , 87with no intervening white-space. 88Both the 89.Em facility 90and the 91.Em level 92are case insensitive. 93.Pp 94The 95.Em facility 96describes the part of the system generating the message, and is one of 97the following keywords: auth, authpriv, console, cron, daemon, ftp, kern, 98lpr, mail, mark, news, ntp, security, syslog, user, uucp and local0 through 99local7. 100These keywords (with the exception of mark) correspond to 101similar 102.Dq Dv LOG_ 103values specified to the 104.Xr openlog 3 105and 106.Xr syslog 3 107library routines. 108.Pp 109The 110.Em comparison flags 111may be used to specify exactly what is logged. 112The default comparison is 113.Dq => 114(or, if you prefer, 115.Dq >= ) , 116which means that messages from the specified 117.Em facility 118list, and of a priority 119level equal to or greater than 120.Em level 121will be logged. 122Comparison flags beginning with 123.Dq Li \&! 124will have their logical sense inverted. 125Thus 126.Dq !=info 127means all levels except info and 128.Dq !notice 129has the same meaning as 130.Dq <notice . 131.Pp 132The 133.Em level 134describes the severity of the message, and is a keyword from the 135following ordered list (higher to lower): emerg, alert, crit, err, 136warning, notice, info and debug. 137These keywords correspond to 138similar 139.Dq Dv LOG_ 140values specified to the 141.Xr syslog 3 142library routine. 143.Pp 144Each block of lines is separated from the previous block by a 145.Em program 146or 147.Em hostname 148specification. 149A block will only log messages corresponding to the most recent 150.Em program 151and 152.Em hostname 153specifications given. 154Thus, with a block which selects 155.Ql ppp 156as the 157.Em program , 158directly followed by a block that selects messages from the 159.Em hostname 160.Ql dialhost , 161the second block will only log messages 162from the 163.Xr ppp 8 164program on dialhost. 165.Pp 166A 167.Em program 168specification is a line beginning with 169.Ql #!prog 170or 171.Ql !prog 172(the former is for compatibility with the previous syslogd, if one is sharing 173.Nm 174files, for example) 175and the following blocks will be associated with calls to 176.Xr syslog 3 177from that specific program. 178A 179.Em program 180specification for 181.Ql foo 182will also match any message logged by the kernel with the prefix 183.Ql "foo: " . 184The 185.Ql #!+prog 186or 187.Ql !+prog 188specification works just like the previous one, 189and the 190.Ql #!-prog 191or 192.Ql !-prog 193specification will match any message but the ones from that 194program. 195Multiple programs may be listed, separated by commas: 196.Ql !prog1,prog2 197matches messages from either program, while 198.Ql !-prog1,prog2 199matches all messages but those from 200.Ql prog1 201or 202.Ql prog2 . 203.Pp 204A 205.Em hostname 206specification of the form 207.Ql #+hostname 208or 209.Ql +hostname 210means the following blocks will be applied to messages 211received from the specified hostname. 212Alternatively, the 213.Em hostname 214specification 215.Ql #-hostname 216or 217.Ql -hostname 218causes the following blocks to be applied to messages 219from any host but the one specified. 220If the hostname is given as 221.Ql @ , 222the local hostname will be used. 223As for program specifications, multiple comma-separated 224values may be specified for hostname specifications. 225.Pp 226A 227.Em program 228or 229.Em hostname 230specification may be reset by giving the program or hostname as 231.Ql * . 232.Pp 233See 234.Xr syslog 3 235for further descriptions of both the 236.Em facility 237and 238.Em level 239keywords and their significance. 240It is preferred that selections be made on 241.Em facility 242rather than 243.Em program , 244since the latter can easily vary in a networked environment. 245In some cases, 246though, an appropriate 247.Em facility 248simply does not exist. 249.Pp 250If a received message matches the specified 251.Em facility 252and is of the specified 253.Em level 254.Em (or a higher level) , 255and the first word in the message after the date matches the 256.Em program , 257the action specified in the 258.Em action 259field will be taken. 260.Pp 261Multiple 262.Em selectors 263may be specified for a single 264.Em action 265by separating them with semicolon 266.Pq Dq \&; 267characters. 268It is important to note, however, that each 269.Em selector 270can modify the ones preceding it. 271.Pp 272Multiple 273.Em facilities 274may be specified for a single 275.Em level 276by separating them with comma 277.Pq Dq \&, 278characters. 279.Pp 280An asterisk 281.Pq Dq * 282can be used to specify all 283.Em facilities , 284all 285.Em levels , 286or all 287.Em programs . 288.Pp 289The special 290.Em facility 291.Dq mark 292receives a message at priority 293.Dq info 294every 20 minutes 295(see 296.Xr syslogd 8 ) . 297This is not enabled by a 298.Em facility 299field containing an asterisk. 300.Pp 301The special 302.Em level 303.Dq none 304disables a particular 305.Em facility . 306.Pp 307The 308.Em action 309field of each line specifies the action to be taken when the 310.Em selector 311field selects a message. 312There are five forms: 313.Bl -bullet 314.It 315A pathname (beginning with a leading slash). 316Selected messages are appended to the file. 317.Pp 318To ensure that kernel messages are written to disk promptly, 319.Nm 320calls 321.Xr fsync 2 322after writing messages from the kernel. 323Other messages are not synced explicitly. 324You may prefix a pathname with the minus sign, 325.Dq - , 326to forego syncing the specified file after every kernel message. 327Note that you might lose information if the system crashes 328immediately following a write attempt. 329Nevertheless, using the 330.Dq - 331option may improve performance, 332especially if the kernel is logging many messages. 333.It 334A hostname (preceded by an at 335.Pq Dq @ 336sign). 337Selected messages are forwarded to the 338.Xr syslogd 8 339program on the named host. 340If a port number is added after a colon 341.Pq ':' 342then that port will be used as the destination port rather than the usual syslog port. 343.It 344A comma separated list of users. 345Selected messages are written to those users 346if they are logged in. 347.It 348An asterisk. 349Selected messages are written to all logged-in users. 350.It 351A vertical bar 352.Pq Dq \&| , 353followed by a command to pipe the selected 354messages to. 355The command is passed to 356.Xr sh 1 357for evaluation, so usual shell metacharacters or input/output 358redirection can occur. 359(Note however that redirecting 360.Xr stdio 3 361buffered output from the invoked command can cause additional delays, 362or even lost output data in case a logging subprocess exited with a 363signal.) 364The command itself runs with 365.Em stdout 366and 367.Em stderr 368redirected to 369.Pa /dev/null . 370Upon receipt of a 371.Dv SIGHUP , 372.Xr syslogd 8 373will close the pipe to the process. 374If the process did not exit 375voluntarily, it will be sent a 376.Dv SIGTERM 377signal after a grace period of up to 60 seconds. 378.Pp 379The command will only be started once data arrives that should be piped 380to it. 381If it exited later, it will be restarted as necessary. 382So if it 383is desired that the subprocess should get exactly one line of input only 384(which can be very resource-consuming if there are a lot of messages 385flowing quickly), this can be achieved by exiting after just one line of 386input. 387If necessary, a script wrapper can be written to this effect. 388.Pp 389Unless the command is a full pipeline, it is probably useful to 390start the command with 391.Em exec 392so that the invoking shell process does not wait for the command to 393complete. 394Warning: the process is started under the UID invoking 395.Xr syslogd 8 , 396normally the superuser. 397.El 398.Pp 399Blank lines and lines whose first non-blank character is a hash 400.Pq Dq # 401character are ignored. 402.Sh IMPLEMENTATION NOTES 403The 404.Dq kern 405facility is usually reserved for messages 406generated by the local kernel. 407Other messages logged with facility 408.Dq kern 409are usually translated to facility 410.Dq user . 411This translation can be disabled; 412see 413.Xr syslogd 8 414for details. 415.Sh FILES 416.Bl -tag -width /etc/syslog.conf -compact 417.It Pa /etc/syslog.conf 418.Xr syslogd 8 419configuration file 420.El 421.Sh EXAMPLES 422A configuration file might appear as follows: 423.Bd -literal 424# Log all kernel messages, authentication messages of 425# level notice or higher, and anything of level err or 426# higher to the console. 427# Don't log private authentication messages! 428*.err;kern.*;auth.notice;authpriv.none /dev/console 429 430# Log anything (except mail) of level info or higher. 431# Don't log private authentication messages! 432*.info;mail.none;authpriv.none /var/log/messages 433 434# Log daemon messages at debug level only 435daemon.=debug /var/log/daemon.debug 436 437# The authpriv file has restricted access. 438authpriv.* /var/log/secure 439 440# Log all the mail messages in one place. 441mail.* /var/log/maillog 442 443# Everybody gets emergency messages, plus log them on another 444# machine. 445*.emerg * 446*.emerg @arpa.berkeley.edu 447 448# Root and Eric get alert and higher messages. 449*.alert root,eric 450 451# Save mail and news errors of level err and higher in a 452# special file. 453uucp,news.crit /var/log/spoolerr 454 455# Pipe all authentication messages to a filter. 456auth.* |exec /usr/local/sbin/authfilter 457 458# Save ftpd transactions along with mail and news 459!ftpd 460*.* /var/log/spoolerr 461 462# Log all security messages to a separate file. 463security.* /var/log/security 464 465# Log all writes to /dev/console to a separate file. 466console.* /var/log/console.log 467 468# Log ipfw messages without syncing after every message. 469!ipfw 470*.* -/var/log/ipfw 471.Ed 472.Sh SEE ALSO 473.Xr syslog 3 , 474.Xr syslogd 8 475.Sh BUGS 476The effects of multiple 477.Em selectors 478are sometimes not intuitive. 479For example 480.Dq mail.crit,*.err 481will select 482.Dq mail 483facility messages at the level of 484.Dq err 485or higher, not at the level of 486.Dq crit 487or higher. 488.Pp 489In networked environments, note that not all operating systems 490implement the same set of facilities. 491The facilities 492authpriv, cron, ftp, and ntp that are known to this implementation 493might be absent on the target system. 494Even worse, DEC UNIX uses 495facility number 10 (which is authpriv in this implementation) to 496log events for their AdvFS file system. 497