1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 4. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $FreeBSD$ 30.\" 31.Dd June 9, 1993 32.Dt SYSLOG.CONF 5 33.Os 34.Sh NAME 35.Nm syslog.conf 36.Nd 37.Xr syslogd 8 38configuration file 39.Sh DESCRIPTION 40The 41.Nm 42file is the configuration file for the 43.Xr syslogd 8 44program. 45It consists of 46blocks of lines separated by 47.Em program 48and 49.Em hostname 50specifications (separations appear alone on their lines), 51with each line containing two fields: the 52.Em selector 53field which specifies the types of messages and priorities to which the 54line applies, and an 55.Em action 56field which specifies the action to be taken if a message 57.Xr syslogd 8 58receives matches the selection criteria. 59The 60.Em selector 61field is separated from the 62.Em action 63field by one or more tab characters or spaces. 64.Pp 65Note that if you use spaces as separators, your 66.Nm 67might be incompatible with other Unices or Unix-like systems. 68This functionality was added for ease of configuration 69(e.g.\& it is possible to cut-and-paste into 70.Nm ) , 71and to avoid possible mistakes. 72This change however preserves 73backwards compatibility with the old style of 74.Nm 75(i.e., tab characters only). 76.Pp 77The 78.Em selectors 79are encoded as a 80.Em facility , 81a period 82.Pq Dq \&. , 83an optional set of comparison flags 84.Pq Oo \&! Oc Op <=> , 85and a 86.Em level , 87with no intervening white-space. 88Both the 89.Em facility 90and the 91.Em level 92are case insensitive. 93.Pp 94The 95.Em facility 96describes the part of the system generating the message, and is one of 97the following keywords: 98.Cm auth , authpriv , console , cron , daemon , ftp , kern , lpr , 99.Cm mail , mark , news , ntp , security , syslog , user , uucp , 100and 101.Cm local0 102through 103.Cm local7 . 104These keywords (with the exception of mark) correspond to 105similar 106.Dq Dv LOG_ 107values specified to the 108.Xr openlog 3 109and 110.Xr syslog 3 111library routines. 112.Pp 113The 114.Em comparison flags 115may be used to specify exactly what is logged. 116The default comparison is 117.Dq => 118(or, if you prefer, 119.Dq >= ) , 120which means that messages from the specified 121.Em facility 122list, and of a priority 123level equal to or greater than 124.Em level 125will be logged. 126Comparison flags beginning with 127.Dq Li \&! 128will have their logical sense inverted. 129Thus 130.Dq !=info 131means all levels except info and 132.Dq !notice 133has the same meaning as 134.Dq <notice . 135.Pp 136The 137.Em level 138describes the severity of the message, and is a keyword from the 139following ordered list (higher to lower): 140.Cm emerg , alert , err , warning , notice , info 141and 142.Cm debug . 143These keywords correspond to 144similar 145.Dq Dv LOG_ 146values specified to the 147.Xr syslog 3 148library routine. 149.Pp 150Each block of lines is separated from the previous block by a 151.Em program 152or 153.Em hostname 154specification. 155A block will only log messages corresponding to the most recent 156.Em program 157and 158.Em hostname 159specifications given. 160Thus, with a block which selects 161.Ql ppp 162as the 163.Em program , 164directly followed by a block that selects messages from the 165.Em hostname 166.Ql dialhost , 167the second block will only log messages 168from the 169.Xr ppp 8 170program on dialhost. 171.Pp 172A 173.Em program 174specification is a line beginning with 175.Ql #!prog 176or 177.Ql !prog 178(the former is for compatibility with the previous syslogd, if one is sharing 179.Nm 180files, for example) 181and the following blocks will be associated with calls to 182.Xr syslog 3 183from that specific program. 184A 185.Em program 186specification for 187.Ql foo 188will also match any message logged by the kernel with the prefix 189.Ql "foo: " . 190The 191.Ql #!+prog 192or 193.Ql !+prog 194specification works just like the previous one, 195and the 196.Ql #!-prog 197or 198.Ql !-prog 199specification will match any message but the ones from that 200program. 201Multiple programs may be listed, separated by commas: 202.Ql !prog1,prog2 203matches messages from either program, while 204.Ql !-prog1,prog2 205matches all messages but those from 206.Ql prog1 207or 208.Ql prog2 . 209.Pp 210A 211.Em hostname 212specification of the form 213.Ql #+hostname 214or 215.Ql +hostname 216means the following blocks will be applied to messages 217received from the specified hostname. 218Alternatively, the 219.Em hostname 220specification 221.Ql #-hostname 222or 223.Ql -hostname 224causes the following blocks to be applied to messages 225from any host but the one specified. 226If the hostname is given as 227.Ql @ , 228the local hostname will be used. 229As for program specifications, multiple comma-separated 230values may be specified for hostname specifications. 231.Pp 232A 233.Em program 234or 235.Em hostname 236specification may be reset by giving the program or hostname as 237.Ql * . 238.Pp 239See 240.Xr syslog 3 241for further descriptions of both the 242.Em facility 243and 244.Em level 245keywords and their significance. 246It is preferred that selections be made on 247.Em facility 248rather than 249.Em program , 250since the latter can easily vary in a networked environment. 251In some cases, 252though, an appropriate 253.Em facility 254simply does not exist. 255.Pp 256If a received message matches the specified 257.Em facility 258and is of the specified 259.Em level 260.Em (or a higher level) , 261and the first word in the message after the date matches the 262.Em program , 263the action specified in the 264.Em action 265field will be taken. 266.Pp 267Multiple 268.Em selectors 269may be specified for a single 270.Em action 271by separating them with semicolon 272.Pq Dq \&; 273characters. 274It is important to note, however, that each 275.Em selector 276can modify the ones preceding it. 277.Pp 278Multiple 279.Em facilities 280may be specified for a single 281.Em level 282by separating them with comma 283.Pq Dq \&, 284characters. 285.Pp 286An asterisk 287.Pq Dq * 288can be used to specify all 289.Em facilities , 290all 291.Em levels , 292or all 293.Em programs . 294.Pp 295The special 296.Em facility 297.Dq mark 298receives a message at priority 299.Dq info 300every 20 minutes 301(see 302.Xr syslogd 8 ) . 303This is not enabled by a 304.Em facility 305field containing an asterisk. 306.Pp 307The special 308.Em level 309.Dq none 310disables a particular 311.Em facility . 312.Pp 313The 314.Em action 315field of each line specifies the action to be taken when the 316.Em selector 317field selects a message. 318There are five forms: 319.Bl -bullet 320.It 321A pathname (beginning with a leading slash). 322Selected messages are appended to the file. 323.Pp 324To ensure that kernel messages are written to disk promptly, 325.Nm 326calls 327.Xr fsync 2 328after writing messages from the kernel. 329Other messages are not synced explicitly. 330You may prefix a pathname with the minus sign, 331.Dq - , 332to forego syncing the specified file after every kernel message. 333Note that you might lose information if the system crashes 334immediately following a write attempt. 335Nevertheless, using the 336.Dq - 337option may improve performance, 338especially if the kernel is logging many messages. 339.It 340A hostname (preceded by an at 341.Pq Dq @ 342sign). 343Selected messages are forwarded to the 344.Xr syslogd 8 345program on the named host. 346If a port number is added after a colon 347.Pq Ql :\& 348then that port will be used as the destination port 349rather than the usual syslog port. 350.It 351A comma separated list of users. 352Selected messages are written to those users 353if they are logged in. 354.It 355An asterisk. 356Selected messages are written to all logged-in users. 357.It 358A vertical bar 359.Pq Dq \&| , 360followed by a command to pipe the selected 361messages to. 362The command is passed to 363.Xr sh 1 364for evaluation, so usual shell metacharacters or input/output 365redirection can occur. 366(Note however that redirecting 367.Xr stdio 3 368buffered output from the invoked command can cause additional delays, 369or even lost output data in case a logging subprocess exited with a 370signal.) 371The command itself runs with 372.Em stdout 373and 374.Em stderr 375redirected to 376.Pa /dev/null . 377Upon receipt of a 378.Dv SIGHUP , 379.Xr syslogd 8 380will close the pipe to the process. 381If the process did not exit 382voluntarily, it will be sent a 383.Dv SIGTERM 384signal after a grace period of up to 60 seconds. 385.Pp 386The command will only be started once data arrives that should be piped 387to it. 388If it exited later, it will be restarted as necessary. 389So if it 390is desired that the subprocess should get exactly one line of input only 391(which can be very resource-consuming if there are a lot of messages 392flowing quickly), this can be achieved by exiting after just one line of 393input. 394If necessary, a script wrapper can be written to this effect. 395.Pp 396Unless the command is a full pipeline, it is probably useful to 397start the command with 398.Em exec 399so that the invoking shell process does not wait for the command to 400complete. 401Warning: the process is started under the UID invoking 402.Xr syslogd 8 , 403normally the superuser. 404.El 405.Pp 406Blank lines and lines whose first non-blank character is a hash 407.Pq Dq # 408character are ignored. 409If 410.Ql # 411is placed in the middle of the line, the 412.Ql # 413character and the rest of the line after it is ignored. 414To prevent special meaning, the 415.Ql # 416character may be escaped with 417.Ql \e ; 418in this case preceding 419.Ql \e 420is removed and 421.Ql # 422is treated as an ordinary character. 423.Sh IMPLEMENTATION NOTES 424The 425.Dq kern 426facility is usually reserved for messages 427generated by the local kernel. 428Other messages logged with facility 429.Dq kern 430are usually translated to facility 431.Dq user . 432This translation can be disabled; 433see 434.Xr syslogd 8 435for details. 436.Sh FILES 437.Bl -tag -width /etc/syslog.conf -compact 438.It Pa /etc/syslog.conf 439.Xr syslogd 8 440configuration file 441.El 442.Sh EXAMPLES 443A configuration file might appear as follows: 444.Bd -literal 445# Log all kernel messages, authentication messages of 446# level notice or higher, and anything of level err or 447# higher to the console. 448# Don't log private authentication messages! 449*.err;kern.*;auth.notice;authpriv.none /dev/console 450 451# Log anything (except mail) of level info or higher. 452# Don't log private authentication messages! 453*.info;mail.none;authpriv.none /var/log/messages 454 455# Log daemon messages at debug level only 456daemon.=debug /var/log/daemon.debug 457 458# The authpriv file has restricted access. 459authpriv.* /var/log/secure 460 461# Log all the mail messages in one place. 462mail.* /var/log/maillog 463 464# Everybody gets emergency messages, plus log them on another 465# machine. 466*.emerg * 467*.emerg @arpa.berkeley.edu 468 469# Root and Eric get alert and higher messages. 470*.alert root,eric 471 472# Save mail and news errors of level err and higher in a 473# special file. 474uucp,news.crit /var/log/spoolerr 475 476# Pipe all authentication messages to a filter. 477auth.* |exec /usr/local/sbin/authfilter 478 479# Save ftpd transactions along with mail and news 480!ftpd 481*.* /var/log/spoolerr 482 483# Log all security messages to a separate file. 484security.* /var/log/security 485 486# Log all writes to /dev/console to a separate file. 487console.* /var/log/console.log 488 489# Log ipfw messages without syncing after every message. 490!ipfw 491*.* -/var/log/ipfw 492.Ed 493.Sh SEE ALSO 494.Xr syslog 3 , 495.Xr syslogd 8 496.Sh BUGS 497The effects of multiple 498.Em selectors 499are sometimes not intuitive. 500For example 501.Dq mail.crit,*.err 502will select 503.Dq mail 504facility messages at the level of 505.Dq err 506or higher, not at the level of 507.Dq crit 508or higher. 509.Pp 510In networked environments, note that not all operating systems 511implement the same set of facilities. 512The facilities 513authpriv, cron, ftp, and ntp that are known to this implementation 514might be absent on the target system. 515Even worse, DEC UNIX uses 516facility number 10 (which is authpriv in this implementation) to 517log events for their AdvFS file system. 518