xref: /freebsd/usr.sbin/syslogd/syslogd.8 (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1.\" Copyright (c) 1983, 1986, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd July 2, 2018
29.Dt SYSLOGD 8
30.Os
31.Sh NAME
32.Nm syslogd
33.Nd log systems messages
34.Sh SYNOPSIS
35.Nm
36.Op Fl 468ACcdFHkNnosTuv
37.Op Fl a Ar allowed_peer
38.Op Fl b Ar bind_address
39.Op Fl f Ar config_file
40.Op Fl l Oo Ar mode Ns \&: Oc Ns Ar path
41.Op Fl M Ar fwd_length
42.Op Fl m Ar mark_interval
43.Op Fl O Ar format
44.Op Fl P Ar pid_file
45.Op Fl p Ar log_socket
46.Op Fl S Ar logpriv_socket
47.Sh DESCRIPTION
48The
49.Nm
50utility reads and logs messages to the system console,
51log files,
52other
53machines and/or users as specified by its configuration file.
54.Pp
55The options are as follows:
56.Bl -tag -width indent
57.It Fl 4
58Force
59.Nm
60to use IPv4 addresses only.
61.It Fl 6
62Force
63.Nm
64to use IPv6 addresses only.
65.It Fl 8
66Tells
67.Nm
68not to interfere with 8-bit data.
69Normally
70.Nm
71will replace C1 control characters
72.Pq ISO 8859 and Unicode characters
73with their
74.Dq M- Ns Em x
75equivalent.
76Note, this option does not change the way
77.Nm
78alters control characters
79.Pq see Xr iscntrl 3 .
80They will always be replaced with their
81.Dq ^ Ns Em x
82equivalent.
83.It Fl A
84Ordinarily,
85.Nm
86tries to send the message to only one address
87even if the host has more than one A or AAAA record.
88If this option is specified,
89.Nm
90tries to send the message to all addresses.
91.It Fl a Ar allowed_peer
92Allow
93.Ar allowed_peer
94to log to this
95.Nm
96using UDP datagrams.
97Multiple
98.Fl a
99options may be specified.
100.Pp
101The
102.Ar allowed_peer
103option may be any of the following:
104.Bl -tag -width "ipaddr[/prefixlen][:service]XX"
105.It Xo
106.Sm off
107.Ar ipaddr
108.Op / Ar masklen
109.Op \&: Ar service
110.Pp
111.Ar ipaddr
112.Op / Ar prefixlen
113.Op \&: Ar service
114.Sm on
115.Xc
116Accept datagrams from
117.Ar ipaddr ,
118.Ar ipaddr
119can be specified as an IPv4 address or as an IPv6
120address enclosed with
121.Ql \&[
122and
123.Ql \&] .
124If specified,
125.Ar service
126is the name or number of an UDP service (see
127.Xr services 5 )
128the source packet must belong to.
129A
130.Ar service
131of
132.Ql \&*
133accepts UDP packets from any source port.
134The default
135.Ar service
136is
137.Ql syslog .
138If
139.Ar ipaddr
140is IPv4 address, a missing
141.Ar masklen
142will be substituted by the historic class A or class B netmasks if
143.Ar ipaddr
144belongs into the address range of class A or B,
145respectively,
146or by 24 otherwise.
147If
148.Ar ipaddr
149is IPv6 address,
150a missing
151.Ar masklen
152will be substituted by 128.
153.It Xo
154.Sm off
155.Ar domainname Op \&: Ar service
156.Sm on
157.Xc
158Accept datagrams where the reverse address lookup yields
159.Ar domainname
160for the sender address.
161The meaning of
162.Ar service
163is as explained above.
164.Ar domainname
165can contain special characters of a shell-style pattern such as
166.Ql Li \&* .
167.El
168.Pp
169The
170.Fl a
171options are ignored if the
172.Fl s
173option is also specified.
174.It Xo
175.Fl b
176.Sm off
177.Ar bind_address Op \&: Ar service
178.Sm on
179.Xc
180.It Xo
181.Fl b
182.Sm off
183.Li \&: Ar service
184.Sm on
185.Xc
186Bind to a specific address and/or port.
187The address can be specified as a hostname,
188and the port as a service name.
189If an IPv6 address is specified, it should be enclosed with
190.Ql \&[
191and
192.Ql \&] .
193The default
194.Ar service
195is
196.Ql syslog .
197This option can be specified multiple times to bind to
198multiple addresses and/or ports.
199.It Fl C
200Create log files that do not exist
201.Pq permission is set to Ql Li 0600 .
202.It Fl c
203Disable the compression of repeated instances of the same line
204into a single line of the form
205.Dq Li "last message repeated N times"
206when the output is a pipe to another program.
207If specified twice,
208disable this compression in all cases.
209.It Fl d
210Put
211.Nm
212into debugging mode.
213This is probably only of use to developers working on
214.Nm .
215.It Fl f Ar config_file
216Specify the pathname of an alternate configuration file;
217the default is
218.Pa /etc/syslog.conf .
219.It Fl F
220Run
221.Nm
222in the foreground,
223rather than going into daemon mode.
224This is useful if some other process uses
225.Xr fork 2
226and
227.Xr exec 3
228to run
229.Nm ,
230and wants to monitor when and how it exits.
231.It Fl H
232When logging remote messages use hostname from the message (if supplied)
233instead of using address from which the message was received.
234.It Fl k
235Disable the translation of
236messages received with facility
237.Dq kern
238to facility
239.Dq user .
240Usually the
241.Dq kern
242facility is reserved for messages read directly from
243.Pa /dev/klog .
244.It Fl M Ar fwd_length
245Set the limit on the length of forwarded messages.
246The minimum is 480 octets.
247The maximum for RFC 3164 output format is 1024 octets.
248The default is 1024 octets.
249.It Fl m Ar mark_interval
250Select the number of minutes between
251.Dq mark
252messages;
253the default is 20 minutes.
254.It Fl N
255Disable binding on UDP sockets.
256RFC 3164 recommends that outgoing
257.Nm
258messages should originate from the privileged port,
259this option
260.Em disables
261the recommended behavior.
262This option inherits
263.Fl s .
264.It Fl n
265Disable DNS query for every request.
266.It Fl O Ar format
267Select the output format of generated log messages.
268The values
269.Ar bsd
270and
271.Ar rfc3164
272are used to generate RFC 3164 log messages.
273The values
274.Ar syslog
275and
276.Ar rfc5424
277are used to generate RFC 5424 log messages,
278having RFC 3339 timestamps with microsecond precision.
279The default is to generate RFC 3164 log messages.
280.It Fl o
281Prefix kernel messages with the full kernel boot file as determined by
282.Xr getbootfile 3 .
283Without this, the kernel message prefix is always
284.Dq Li kernel: .
285.It Fl p Ar log_socket
286Specify the pathname of an alternate log socket to be used instead;
287the default is
288.Pa /var/run/log .
289When a single
290.Fl p
291option is specified,
292the default pathname is replaced with the specified one.
293When two or more
294.Fl p
295options are specified,
296the remaining pathnames are treated as additional log sockets.
297.It Fl P Ar pid_file
298Specify an alternative file in which to store the process ID.
299The default is
300.Pa /var/run/syslog.pid .
301.It Fl S Ar logpriv_socket
302Specify the pathname of an alternate log socket for privileged
303applications to be used instead;
304the default is
305.Pa /var/run/logpriv .
306When a single
307.Fl S
308option is specified,
309the default pathname is replaced with the specified one.
310When two or more
311.Fl S
312options are specified,
313the remaining pathnames are treated as additional log sockets.
314.It Fl l Oo Ar mode Ns \&: Oc Ns Ar path
315Specify a location where
316.Nm
317should place an additional log socket.
318The primary use for this is to place additional log sockets in
319.Pa /var/run/log
320of various chroot filespaces.
321File permissions for socket can be specified in octal representation in
322.Ar mode ,
323delimited with a colon.
324The socket location must be specified as an absolute pathname in
325.Ar path .
326.It Fl s
327Operate in secure mode.
328Do not log messages from remote machines.
329If specified twice,
330no network socket will be opened at all,
331which also disables logging to remote machines.
332.It Fl T
333Always use the local time and date for messages received from the network,
334instead of the timestamp field supplied in the message by the remote host.
335This is useful if some of the originating hosts cannot keep time properly
336or are unable to generate a correct timestamp.
337.It Fl u
338Unique priority logging.
339Only log messages at the specified priority.
340Without this option,
341messages at the stated priority or higher are logged.
342This option changes the default comparison from
343.Dq =>
344to
345.Dq = .
346.It Fl v
347Verbose logging.
348If specified once,
349the numeric facility and priority are
350logged with each locally-written message.
351If specified more than once,
352the names of the facility and priority are logged with each locally-written
353message.
354.Pp
355This option only affects the formatting of RFC 3164 messages.
356Messages formatted according to RFC 5424 always include a
357facility/priority number.
358.El
359.Pp
360The
361.Nm
362utility reads its configuration file when it starts up and whenever it
363receives a hangup signal.
364For information on the format of the configuration file,
365see
366.Xr syslog.conf 5 .
367.Pp
368The
369.Nm
370utility reads messages from the
371.Ux
372domain sockets
373.Pa /var/run/log
374and
375.Pa /var/run/logpriv ,
376from an Internet domain socket specified in
377.Pa /etc/services ,
378and from the special device
379.Pa /dev/klog
380.Pq to read kernel messages .
381.Pp
382The
383.Nm
384utility creates its process ID file,
385by default
386.Pa /var/run/syslog.pid ,
387and stores its process
388ID there.
389This can be used to kill or reconfigure
390.Nm .
391.Pp
392The message sent to
393.Nm
394should consist of a single line.
395The message can contain a priority code,
396which should be a preceding
397decimal number in angle braces,
398for example,
399.Sq Aq 5 .
400This priority code should map into the priorities defined in the
401include file
402.In sys/syslog.h .
403.Pp
404For security reasons,
405.Nm
406will not append to log files that do not exist
407.Po unless Fl C
408option is specified
409.Pc ;
410therefore, they must be created manually before running
411.Nm .
412.Pp
413The date and time are taken from the received message.
414If the format of the timestamp field is incorrect,
415time obtained from the local host is used instead.
416This can be overridden by the
417.Fl T
418flag.
419.Sh FILES
420.Bl -tag -width /var/run/syslog.pid -compact
421.It Pa /etc/syslog.conf
422configuration file
423.It Pa /var/run/syslog.pid
424default process ID file
425.It Pa /var/run/log
426name of the
427.Ux
428domain datagram log socket
429.It Pa /var/run/logpriv
430.Ux
431socket for privileged applications
432.It Pa /dev/klog
433kernel log device
434.El
435.Sh SEE ALSO
436.Xr logger 1 ,
437.Xr syslog 3 ,
438.Xr services 5 ,
439.Xr syslog.conf 5 ,
440.Xr newsyslog 8
441.Sh HISTORY
442The
443.Nm
444utility appeared in
445.Bx 4.3 .
446.Pp
447The
448.Fl a ,
449.Fl s ,
450.Fl u ,
451and
452.Fl v
453options are
454.Fx 2.2
455extensions.
456.Sh BUGS
457The ability to log messages received in UDP packets is equivalent to
458an unauthenticated remote disk-filling service,
459and should probably be disabled by default.
460Some sort of
461.No inter- Ns Nm syslogd
462authentication mechanism ought to be worked out.
463To prevent the worst abuse,
464use of the
465.Fl a
466option is therefore highly recommended.
467.Pp
468The
469.Fl a
470matching algorithm does not pretend to be very efficient;
471use of numeric IP addresses is faster than domain name comparison.
472Since the allowed peer list is being walked linearly,
473peer groups where frequent messages are being anticipated
474from should be put early into the
475.Fl a
476list.
477.Pp
478The log socket was moved from
479.Pa /dev
480to ease the use of a read-only root file system.
481This may confuse
482some old binaries so that a symbolic link might be used for a
483transitional period.
484