1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 33.\" 34.Dd June 9, 1993 35.Dt SYSLOG.CONF 5 36.Os 37.Sh NAME 38.Nm syslog.conf 39.Nd 40.Xr syslogd 8 41configuration file 42.Sh DESCRIPTION 43The 44.Nm syslog.conf 45file is the configuration file for the 46.Xr syslogd 8 47program. 48It consists of 49blocks of lines separated by 50.Em program 51specifications, 52with each line containing two fields: the 53.Em selector 54field which specifies the types of messages and priorities to which the 55line applies, and an 56.Em action 57field which specifies the action to be taken if a message 58.Xr syslogd 59receives matches the selection criteria. 60The 61.Em selector 62field is separated from the 63.Em action 64field by one or more tab characters. 65.Pp 66The 67.Em Selectors 68function 69are encoded as a 70.Em facility , 71a period (``.''), and a 72.Em level , 73with no intervening white-space. 74Both the 75.Em facility 76and the 77.Em level 78are case insensitive. 79.Pp 80The 81.Em facility 82describes the part of the system generating the message, and is one of 83the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, 84mark, news, syslog, user, uucp and local0 through local7. 85These keywords (with the exception of mark) correspond to the 86similar 87.Dq Dv LOG_ 88values specified to the 89.Xr openlog 3 90and 91.Xr syslog 3 92library routines. 93.Pp 94The 95.Em level 96describes the severity of the message, and is a keyword from the 97following ordered list (higher to lower): emerg, alert, crit, err, 98warning, notice, info and debug. 99These keywords correspond to the 100similar 101.Pq Dv LOG_ 102values specified to the 103.Xr syslog 104library routine. 105.Pp 106Each block of lines is separated from the previous block by a tag. The tag 107is a line beginning with 108.Em #!prog 109or 110.Em !prog 111(the former is for compatibility with the previous syslogd, if one is sharing 112syslog.conf files, for example) 113and each block will be associated with calls to syslog from that specific 114program. 115.Pp 116See 117.Xr syslog 3 118for a further descriptions of both the 119.Em facility 120and 121.Em level 122keywords and their significance. It's preferred that selections be made on 123.Em facility 124rather than 125.Em program , 126since the latter can easily vary in a networked environment. In some cases, 127though, an appropriate 128.Em facility 129simply doesn't exist (for example, 130.Em ftpd 131logs under LOG_DAEMON along with a myriad other programs). 132.Pp 133If a received message matches the specified 134.Em facility 135and is of the specified 136.Em level 137.Em (or a higher level) , 138and the first word in the message after the date matches the 139.Em program , 140the action specified in the 141.Em action 142field will be taken. 143.Pp 144Multiple 145.Em selectors 146may be specified for a single 147.Em action 148by separating them with semicolon (``;'') characters. 149It is important to note, however, that each 150.Em selector 151can modify the ones preceding it. 152.Pp 153Multiple 154.Em facilities 155may be specified for a single 156.Em level 157by separating them with comma (``,'') characters. 158.Pp 159An asterisk (``*'') can be used to specify all 160.Em facilities 161all 162.Em levels 163or all 164.Em programs . 165.Pp 166The special 167.Em facility 168``mark'' receives a message at priority ``info'' every 20 minutes 169(see 170.Xr syslogd 8 ) . 171This is not enabled by a 172.Em facility 173field containing an asterisk. 174.Pp 175The special 176.Em level 177``none'' disables a particular 178.Em facility . 179.Pp 180The 181.Em action 182field of each line specifies the action to be taken when the 183.Em selector 184field selects a message. 185There are five forms: 186.Bl -bullet 187.It 188A pathname (beginning with a leading slash). 189Selected messages are appended to the file. 190.It 191A hostname (preceded by an at (``@'') sign). 192Selected messages are forwarded to the 193.Xr syslogd 194program on the named host. 195.It 196A comma separated list of users. 197Selected messages are written to those users 198if they are logged in. 199.It 200An asterisk. 201Selected messages are written to all logged-in users. 202.It 203A vertical bar (``|''), followed by a command to pipe the selected 204messages to. The command is passed to a 205.Pa /bin/sh 206for evaluation, so usual shell metacharacters or input/output 207redirection can occur. (Note however that redirecting 208.Xr stdio 3 209buffered output from the invoked command can cause additional delays, 210or even lost output data in case a logging subprocess exited with a 211signal.) The command itself runs with 212.Em stdout 213and 214.Em stderr 215redirected to 216.Pa /dev/null . 217Upon receipt of a 218.Dv SIGHUP , 219.Nm syslogd 220will close the pipe to the process. If the process didn't exit 221voluntarily, it will be sent a 222.Dv SIGTERM 223signal after a grace period of up to 40 seconds. 224.Pp 225The command will only be started once data arrives that should be piped 226to it. If it exited later, it will be restarted as necessary. 227.Pp 228Unless the command is a full pipeline, it's probably useful to 229start the command with 230.Em exec 231so that the invoking shell process does not wait for the command to 232complete. Warning: the process is started under the UID invoking 233.Xr syslogd 8 , 234normally the superuser. 235.El 236.Pp 237Blank lines and lines whose first non-blank character is a hash (``#'') 238character are ignored. 239.Sh EXAMPLES 240.Pp 241A configuration file might appear as follows: 242.Bd -literal 243# Log all kernel messages, authentication messages of 244# level notice or higher and anything of level err or 245# higher to the console. 246# Don't log private authentication messages! 247*.err;kern.*;auth.notice;authpriv.none /dev/console 248 249# Log anything (except mail) of level info or higher. 250# Don't log private authentication messages! 251*.info;mail.none;authpriv.none /var/log/messages 252 253# The authpriv file has restricted access. 254authpriv.* /var/log/secure 255 256# Log all the mail messages in one place. 257mail.* /var/log/maillog 258 259# Everybody gets emergency messages, plus log them on another 260# machine. 261*.emerg * 262*.emerg @arpa.berkeley.edu 263 264# Root and Eric get alert and higher messages. 265*.alert root,eric 266 267# Save mail and news errors of level err and higher in a 268# special file. 269uucp,news.crit /var/log/spoolerr 270 271# Pipe all authentication messages to a filter. 272auth.* |exec /usr/local/sbin/authfilter 273 274# Save ftpd transactions along with mail and news 275!ftpd 276*.* /var/log/spoolerr 277.Ed 278.Sh FILES 279.Bl -tag -width /etc/syslog.conf -compact 280.It Pa /etc/syslog.conf 281The 282.Xr syslogd 8 283configuration file. 284.El 285.Sh BUGS 286The effects of multiple selectors are sometimes not intuitive. 287For example ``mail.crit,*.err'' will select ``mail'' facility messages at 288the level of ``err'' or higher, not at the level of ``crit'' or higher. 289.Sh SEE ALSO 290.Xr syslog 3 , 291.Xr syslogd 8 292