xref: /freebsd/usr.sbin/syslogd/syslogd.8 (revision 13ec1e3155c7e9bf037b12af186351b7fa9b9450)
1.\" Copyright (c) 1983, 1986, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\"     @(#)syslogd.8	8.1 (Berkeley) 6/6/93
29.\" $FreeBSD$
30.\"
31.Dd July 2, 2018
32.Dt SYSLOGD 8
33.Os
34.Sh NAME
35.Nm syslogd
36.Nd log systems messages
37.Sh SYNOPSIS
38.Nm
39.Op Fl 468ACcdFHkNnosTuv
40.Op Fl a Ar allowed_peer
41.Op Fl b Ar bind_address
42.Op Fl f Ar config_file
43.Op Fl l Oo Ar mode Ns \&: Oc Ns Ar path
44.Op Fl M Ar fwd_length
45.Op Fl m Ar mark_interval
46.Op Fl O Ar format
47.Op Fl P Ar pid_file
48.Op Fl p Ar log_socket
49.Op Fl S Ar logpriv_socket
50.Sh DESCRIPTION
51The
52.Nm
53utility reads and logs messages to the system console,
54log files,
55other
56machines and/or users as specified by its configuration file.
57.Pp
58The options are as follows:
59.Bl -tag -width indent
60.It Fl 4
61Force
62.Nm
63to use IPv4 addresses only.
64.It Fl 6
65Force
66.Nm
67to use IPv6 addresses only.
68.It Fl 8
69Tells
70.Nm
71not to interfere with 8-bit data.
72Normally
73.Nm
74will replace C1 control characters
75.Pq ISO 8859 and Unicode characters
76with their
77.Dq M- Ns Em x
78equivalent.
79Note, this option does not change the way
80.Nm
81alters control characters
82.Pq see Xr iscntrl 3 .
83They will always be replaced with their
84.Dq ^ Ns Em x
85equivalent.
86.It Fl A
87Ordinarily,
88.Nm
89tries to send the message to only one address
90even if the host has more than one A or AAAA record.
91If this option is specified,
92.Nm
93tries to send the message to all addresses.
94.It Fl a Ar allowed_peer
95Allow
96.Ar allowed_peer
97to log to this
98.Nm
99using UDP datagrams.
100Multiple
101.Fl a
102options may be specified.
103.Pp
104The
105.Ar allowed_peer
106option may be any of the following:
107.Bl -tag -width "ipaddr[/prefixlen][:service]XX"
108.It Xo
109.Sm off
110.Ar ipaddr
111.Op / Ar masklen
112.Op \&: Ar service
113.Pp
114.Ar ipaddr
115.Op / Ar prefixlen
116.Op \&: Ar service
117.Sm on
118.Xc
119Accept datagrams from
120.Ar ipaddr ,
121.Ar ipaddr
122can be specified as an IPv4 address or as an IPv6
123address enclosed with
124.Ql \&[
125and
126.Ql \&] .
127If specified,
128.Ar service
129is the name or number of an UDP service (see
130.Xr services 5 )
131the source packet must belong to.
132A
133.Ar service
134of
135.Ql \&*
136accepts UDP packets from any source port.
137The default
138.Ar service
139is
140.Ql syslog .
141If
142.Ar ipaddr
143is IPv4 address, a missing
144.Ar masklen
145will be substituted by the historic class A or class B netmasks if
146.Ar ipaddr
147belongs into the address range of class A or B,
148respectively,
149or by 24 otherwise.
150If
151.Ar ipaddr
152is IPv6 address,
153a missing
154.Ar masklen
155will be substituted by 128.
156.It Xo
157.Sm off
158.Ar domainname Op \&: Ar service
159.Sm on
160.Xc
161Accept datagrams where the reverse address lookup yields
162.Ar domainname
163for the sender address.
164The meaning of
165.Ar service
166is as explained above.
167.Ar domainname
168can contain special characters of a shell-style pattern such as
169.Ql Li \&* .
170.El
171.Pp
172The
173.Fl a
174options are ignored if the
175.Fl s
176option is also specified.
177.It Xo
178.Fl b
179.Sm off
180.Ar bind_address Op \&: Ar service
181.Sm on
182.Xc
183.It Xo
184.Fl b
185.Sm off
186.Li \&: Ar service
187.Sm on
188.Xc
189Bind to a specific address and/or port.
190The address can be specified as a hostname,
191and the port as a service name.
192If an IPv6 address is specified, it should be enclosed with
193.Ql \&[
194and
195.Ql \&] .
196The default
197.Ar service
198is
199.Ql syslog .
200This option can be specified multiple times to bind to
201multiple addresses and/or ports.
202.It Fl C
203Create log files that do not exist
204.Pq permission is set to Ql Li 0600 .
205.It Fl c
206Disable the compression of repeated instances of the same line
207into a single line of the form
208.Dq Li "last message repeated N times"
209when the output is a pipe to another program.
210If specified twice,
211disable this compression in all cases.
212.It Fl d
213Put
214.Nm
215into debugging mode.
216This is probably only of use to developers working on
217.Nm .
218.It Fl f Ar config_file
219Specify the pathname of an alternate configuration file;
220the default is
221.Pa /etc/syslog.conf .
222.It Fl F
223Run
224.Nm
225in the foreground,
226rather than going into daemon mode.
227This is useful if some other process uses
228.Xr fork 2
229and
230.Xr exec 3
231to run
232.Nm ,
233and wants to monitor when and how it exits.
234.It Fl H
235When logging remote messages use hostname from the message (if supplied)
236instead of using address from which the message was received.
237.It Fl k
238Disable the translation of
239messages received with facility
240.Dq kern
241to facility
242.Dq user .
243Usually the
244.Dq kern
245facility is reserved for messages read directly from
246.Pa /dev/klog .
247.It Fl M Ar fwd_length
248Set the limit on the length of forwarded messages.
249The minimum is 480 octets.
250The maximum for RFC 3164 output format is 1024 octets.
251The default is 1024 octets.
252.It Fl m Ar mark_interval
253Select the number of minutes between
254.Dq mark
255messages;
256the default is 20 minutes.
257.It Fl N
258Disable binding on UDP sockets.
259RFC 3164 recommends that outgoing
260.Nm
261messages should originate from the privileged port,
262this option
263.Em disables
264the recommended behavior.
265This option inherits
266.Fl s .
267.It Fl n
268Disable DNS query for every request.
269.It Fl O Ar format
270Select the output format of generated log messages.
271The values
272.Ar bsd
273and
274.Ar rfc3164
275are used to generate RFC 3164 log messages.
276The values
277.Ar syslog
278and
279.Ar rfc5424
280are used to generate RFC 5424 log messages,
281having RFC 3339 timestamps with microsecond precision.
282The default is to generate RFC 3164 log messages.
283.It Fl o
284Prefix kernel messages with the full kernel boot file as determined by
285.Xr getbootfile 3 .
286Without this, the kernel message prefix is always
287.Dq Li kernel: .
288.It Fl p Ar log_socket
289Specify the pathname of an alternate log socket to be used instead;
290the default is
291.Pa /var/run/log .
292When a single
293.Fl p
294option is specified,
295the default pathname is replaced with the specified one.
296When two or more
297.Fl p
298options are specified,
299the remaining pathnames are treated as additional log sockets.
300.It Fl P Ar pid_file
301Specify an alternative file in which to store the process ID.
302The default is
303.Pa /var/run/syslog.pid .
304.It Fl S Ar logpriv_socket
305Specify the pathname of an alternate log socket for privileged
306applications to be used instead;
307the default is
308.Pa /var/run/logpriv .
309When a single
310.Fl S
311option is specified,
312the default pathname is replaced with the specified one.
313When two or more
314.Fl S
315options are specified,
316the remaining pathnames are treated as additional log sockets.
317.It Fl l Oo Ar mode Ns \&: Oc Ns Ar path
318Specify a location where
319.Nm
320should place an additional log socket.
321The primary use for this is to place additional log sockets in
322.Pa /var/run/log
323of various chroot filespaces.
324File permissions for socket can be specified in octal representation in
325.Ar mode ,
326delimited with a colon.
327The socket location must be specified as an absolute pathname in
328.Ar path .
329.It Fl s
330Operate in secure mode.
331Do not log messages from remote machines.
332If specified twice,
333no network socket will be opened at all,
334which also disables logging to remote machines.
335.It Fl T
336Always use the local time and date for messages received from the network,
337instead of the timestamp field supplied in the message by the remote host.
338This is useful if some of the originating hosts cannot keep time properly
339or are unable to generate a correct timestamp.
340.It Fl u
341Unique priority logging.
342Only log messages at the specified priority.
343Without this option,
344messages at the stated priority or higher are logged.
345This option changes the default comparison from
346.Dq =>
347to
348.Dq = .
349.It Fl v
350Verbose logging.
351If specified once,
352the numeric facility and priority are
353logged with each locally-written message.
354If specified more than once,
355the names of the facility and priority are logged with each locally-written
356message.
357.Pp
358This option only affects the formatting of RFC 3164 messages.
359Messages formatted according to RFC 5424 always include a
360facility/priority number.
361.El
362.Pp
363The
364.Nm
365utility reads its configuration file when it starts up and whenever it
366receives a hangup signal.
367For information on the format of the configuration file,
368see
369.Xr syslog.conf 5 .
370.Pp
371The
372.Nm
373utility reads messages from the
374.Ux
375domain sockets
376.Pa /var/run/log
377and
378.Pa /var/run/logpriv ,
379from an Internet domain socket specified in
380.Pa /etc/services ,
381and from the special device
382.Pa /dev/klog
383.Pq to read kernel messages .
384.Pp
385The
386.Nm
387utility creates its process ID file,
388by default
389.Pa /var/run/syslog.pid ,
390and stores its process
391ID there.
392This can be used to kill or reconfigure
393.Nm .
394.Pp
395The message sent to
396.Nm
397should consist of a single line.
398The message can contain a priority code,
399which should be a preceding
400decimal number in angle braces,
401for example,
402.Sq Aq 5 .
403This priority code should map into the priorities defined in the
404include file
405.In sys/syslog.h .
406.Pp
407For security reasons,
408.Nm
409will not append to log files that do not exist
410.Po unless Fl C
411option is specified
412.Pc ;
413therefore, they must be created manually before running
414.Nm .
415.Pp
416The date and time are taken from the received message.
417If the format of the timestamp field is incorrect,
418time obtained from the local host is used instead.
419This can be overridden by the
420.Fl T
421flag.
422.Sh FILES
423.Bl -tag -width /var/run/syslog.pid -compact
424.It Pa /etc/syslog.conf
425configuration file
426.It Pa /var/run/syslog.pid
427default process ID file
428.It Pa /var/run/log
429name of the
430.Ux
431domain datagram log socket
432.It Pa /var/run/logpriv
433.Ux
434socket for privileged applications
435.It Pa /dev/klog
436kernel log device
437.El
438.Sh SEE ALSO
439.Xr logger 1 ,
440.Xr syslog 3 ,
441.Xr services 5 ,
442.Xr syslog.conf 5 ,
443.Xr newsyslog 8
444.Sh HISTORY
445The
446.Nm
447utility appeared in
448.Bx 4.3 .
449.Pp
450The
451.Fl a ,
452.Fl s ,
453.Fl u ,
454and
455.Fl v
456options are
457.Fx 2.2
458extensions.
459.Sh BUGS
460The ability to log messages received in UDP packets is equivalent to
461an unauthenticated remote disk-filling service,
462and should probably be disabled by default.
463Some sort of
464.No inter- Ns Nm syslogd
465authentication mechanism ought to be worked out.
466To prevent the worst abuse,
467use of the
468.Fl a
469option is therefore highly recommended.
470.Pp
471The
472.Fl a
473matching algorithm does not pretend to be very efficient;
474use of numeric IP addresses is faster than domain name comparison.
475Since the allowed peer list is being walked linearly,
476peer groups where frequent messages are being anticipated
477from should be put early into the
478.Fl a
479list.
480.Pp
481The log socket was moved from
482.Pa /dev
483to ease the use of a read-only root file system.
484This may confuse
485some old binaries so that a symbolic link might be used for a
486transitional period.
487