1.\" Copyright (c) 1983, 1986, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd July 2, 2018 29.Dt SYSLOGD 8 30.Os 31.Sh NAME 32.Nm syslogd 33.Nd log systems messages 34.Sh SYNOPSIS 35.Nm 36.Op Fl 468ACcdFHkNnosTuv 37.Op Fl a Ar allowed_peer 38.Op Fl b Ar bind_address 39.Op Fl f Ar config_file 40.Op Fl l Oo Ar mode Ns \&: Oc Ns Ar path 41.Op Fl M Ar fwd_length 42.Op Fl m Ar mark_interval 43.Op Fl O Ar format 44.Op Fl P Ar pid_file 45.Op Fl p Ar log_socket 46.Op Fl S Ar logpriv_socket 47.Sh DESCRIPTION 48The 49.Nm 50utility reads and logs messages to the system console, 51log files, 52other 53machines and/or users as specified by its configuration file. 54.Pp 55The options are as follows: 56.Bl -tag -width indent 57.It Fl 4 58Force 59.Nm 60to use IPv4 addresses only. 61.It Fl 6 62Force 63.Nm 64to use IPv6 addresses only. 65.It Fl 8 66Tells 67.Nm 68not to interfere with 8-bit data. 69Normally 70.Nm 71will replace C1 control characters 72.Pq ISO 8859 and Unicode characters 73with their 74.Dq M- Ns Em x 75equivalent. 76Note, this option does not change the way 77.Nm 78alters control characters 79.Pq see Xr iscntrl 3 . 80They will always be replaced with their 81.Dq ^ Ns Em x 82equivalent. 83.It Fl A 84Ordinarily, 85.Nm 86tries to send the message to only one address 87even if the host has more than one A or AAAA record. 88If this option is specified, 89.Nm 90tries to send the message to all addresses. 91.It Fl a Ar allowed_peer 92Allow 93.Ar allowed_peer 94to log to this 95.Nm 96using UDP datagrams. 97Multiple 98.Fl a 99options may be specified. 100.Pp 101The 102.Ar allowed_peer 103option may be any of the following: 104.Bl -tag -width "ipaddr[/prefixlen][:service]XX" 105.It Xo 106.Sm off 107.Ar ipaddr 108.Op / Ar masklen 109.Op \&: Ar service 110.Pp 111.Ar ipaddr 112.Op / Ar prefixlen 113.Op \&: Ar service 114.Sm on 115.Xc 116Accept datagrams from 117.Ar ipaddr , 118.Ar ipaddr 119can be specified as an IPv4 address or as an IPv6 120address enclosed with 121.Ql \&[ 122and 123.Ql \&] . 124If specified, 125.Ar service 126is the name or number of an UDP service (see 127.Xr services 5 ) 128the source packet must belong to. 129A 130.Ar service 131of 132.Ql \&* 133accepts UDP packets from any source port. 134The default 135.Ar service 136is 137.Ql syslog . 138If 139.Ar ipaddr 140is IPv4 address, a missing 141.Ar masklen 142will be substituted by the historic class A or class B netmasks if 143.Ar ipaddr 144belongs into the address range of class A or B, 145respectively, 146or by 24 otherwise. 147If 148.Ar ipaddr 149is IPv6 address, 150a missing 151.Ar masklen 152will be substituted by 128. 153.It Xo 154.Sm off 155.Ar domainname Op \&: Ar service 156.Sm on 157.Xc 158Accept datagrams where the reverse address lookup yields 159.Ar domainname 160for the sender address. 161The meaning of 162.Ar service 163is as explained above. 164.Ar domainname 165can contain special characters of a shell-style pattern such as 166.Ql Li \&* . 167.El 168.Pp 169The 170.Fl a 171options are ignored if the 172.Fl s 173option is also specified. 174.It Xo 175.Fl b 176.Sm off 177.Ar bind_address Op \&: Ar service 178.Sm on 179.Xc 180.It Xo 181.Fl b 182.Sm off 183.Li \&: Ar service 184.Sm on 185.Xc 186Bind to a specific address and/or port. 187The address can be specified as a hostname, 188and the port as a service name. 189If an IPv6 address is specified, it should be enclosed with 190.Ql \&[ 191and 192.Ql \&] . 193The default 194.Ar service 195is 196.Ql syslog . 197This option can be specified multiple times to bind to 198multiple addresses and/or ports. 199.It Fl C 200Create log files that do not exist 201.Pq permission is set to Ql Li 0600 . 202.It Fl c 203Disable the compression of repeated instances of the same line 204into a single line of the form 205.Dq Li "last message repeated N times" 206when the output is a pipe to another program. 207If specified twice, 208disable this compression in all cases. 209.It Fl d 210Put 211.Nm 212into debugging mode. 213This is probably only of use to developers working on 214.Nm . 215.It Fl f Ar config_file 216Specify the pathname of an alternate configuration file; 217the default is 218.Pa /etc/syslog.conf . 219.It Fl F 220Run 221.Nm 222in the foreground, 223rather than going into daemon mode. 224This is useful if some other process uses 225.Xr fork 2 226and 227.Xr exec 3 228to run 229.Nm , 230and wants to monitor when and how it exits. 231.It Fl H 232When logging remote messages use hostname from the message (if supplied) 233instead of using address from which the message was received. 234.It Fl k 235Disable the translation of 236messages received with facility 237.Dq kern 238to facility 239.Dq user . 240Usually the 241.Dq kern 242facility is reserved for messages read directly from 243.Pa /dev/klog . 244.It Fl M Ar fwd_length 245Set the limit on the length of forwarded messages. 246The minimum is 480 octets. 247The maximum for RFC 3164 output format is 1024 octets. 248The default is 1024 octets. 249.It Fl m Ar mark_interval 250Select the number of minutes between 251.Dq mark 252messages; 253the default is 20 minutes. 254.It Fl N 255Disable binding on UDP sockets. 256RFC 3164 recommends that outgoing 257.Nm 258messages should originate from the privileged port, 259this option 260.Em disables 261the recommended behavior. 262This option inherits 263.Fl s . 264.It Fl n 265Disable DNS query for every request. 266.It Fl O Ar format 267Select the output format of generated log messages. 268The values 269.Ar bsd 270and 271.Ar rfc3164 272are used to generate RFC 3164 log messages. 273The values 274.Ar syslog 275and 276.Ar rfc5424 277are used to generate RFC 5424 log messages, 278having RFC 3339 timestamps with microsecond precision. 279The default is to generate RFC 3164 log messages. 280.It Fl o 281Prefix kernel messages with the full kernel boot file as determined by 282.Xr getbootfile 3 . 283Without this, the kernel message prefix is always 284.Dq Li kernel: . 285.It Fl p Ar log_socket 286Specify the pathname of an alternate log socket to be used instead; 287the default is 288.Pa /var/run/log . 289When a single 290.Fl p 291option is specified, 292the default pathname is replaced with the specified one. 293When two or more 294.Fl p 295options are specified, 296the remaining pathnames are treated as additional log sockets. 297.It Fl P Ar pid_file 298Specify an alternative file in which to store the process ID. 299The default is 300.Pa /var/run/syslog.pid . 301.It Fl S Ar logpriv_socket 302Specify the pathname of an alternate log socket for privileged 303applications to be used instead; 304the default is 305.Pa /var/run/logpriv . 306When a single 307.Fl S 308option is specified, 309the default pathname is replaced with the specified one. 310When two or more 311.Fl S 312options are specified, 313the remaining pathnames are treated as additional log sockets. 314.It Fl l Oo Ar mode Ns \&: Oc Ns Ar path 315Specify a location where 316.Nm 317should place an additional log socket. 318The primary use for this is to place additional log sockets in 319.Pa /var/run/log 320of various chroot filespaces. 321File permissions for socket can be specified in octal representation in 322.Ar mode , 323delimited with a colon. 324The socket location must be specified as an absolute pathname in 325.Ar path . 326.It Fl s 327Operate in secure mode. 328Do not log messages from remote machines. 329If specified twice, 330no network socket will be opened at all, 331which also disables logging to remote machines. 332.It Fl T 333Always use the local time and date for messages received from the network, 334instead of the timestamp field supplied in the message by the remote host. 335This is useful if some of the originating hosts cannot keep time properly 336or are unable to generate a correct timestamp. 337.It Fl u 338Unique priority logging. 339Only log messages at the specified priority. 340Without this option, 341messages at the stated priority or higher are logged. 342This option changes the default comparison from 343.Dq => 344to 345.Dq = . 346.It Fl v 347Verbose logging. 348If specified once, 349the numeric facility and priority are 350logged with each locally-written message. 351If specified more than once, 352the names of the facility and priority are logged with each locally-written 353message. 354.Pp 355This option only affects the formatting of RFC 3164 messages. 356Messages formatted according to RFC 5424 always include a 357facility/priority number. 358.El 359.Pp 360The 361.Nm 362utility reads its configuration file when it starts up and whenever it 363receives a hangup signal. 364For information on the format of the configuration file, 365see 366.Xr syslog.conf 5 . 367.Pp 368The 369.Nm 370utility reads messages from the 371.Ux 372domain sockets 373.Pa /var/run/log 374and 375.Pa /var/run/logpriv , 376from an Internet domain socket specified in 377.Pa /etc/services , 378and from the special device 379.Pa /dev/klog 380.Pq to read kernel messages . 381.Pp 382The 383.Nm 384utility creates its process ID file, 385by default 386.Pa /var/run/syslog.pid , 387and stores its process 388ID there. 389This can be used to kill or reconfigure 390.Nm . 391.Pp 392The message sent to 393.Nm 394should consist of a single line. 395The message can contain a priority code, 396which should be a preceding 397decimal number in angle braces, 398for example, 399.Sq Aq 5 . 400This priority code should map into the priorities defined in the 401include file 402.In sys/syslog.h . 403.Pp 404For security reasons, 405.Nm 406will not append to log files that do not exist 407.Po unless Fl C 408option is specified 409.Pc ; 410therefore, they must be created manually before running 411.Nm . 412.Pp 413The date and time are taken from the received message. 414If the format of the timestamp field is incorrect, 415time obtained from the local host is used instead. 416This can be overridden by the 417.Fl T 418flag. 419.Sh FILES 420.Bl -tag -width /var/run/syslog.pid -compact 421.It Pa /etc/syslog.conf 422configuration file 423.It Pa /var/run/syslog.pid 424default process ID file 425.It Pa /var/run/log 426name of the 427.Ux 428domain datagram log socket 429.It Pa /var/run/logpriv 430.Ux 431socket for privileged applications 432.It Pa /dev/klog 433kernel log device 434.El 435.Sh SEE ALSO 436.Xr logger 1 , 437.Xr syslog 3 , 438.Xr services 5 , 439.Xr syslog.conf 5 , 440.Xr newsyslog 8 441.Sh HISTORY 442The 443.Nm 444utility appeared in 445.Bx 4.3 . 446.Pp 447The 448.Fl a , 449.Fl s , 450.Fl u , 451and 452.Fl v 453options are 454.Fx 2.2 455extensions. 456.Sh BUGS 457The ability to log messages received in UDP packets is equivalent to 458an unauthenticated remote disk-filling service, 459and should probably be disabled by default. 460Some sort of 461.No inter- Ns Nm syslogd 462authentication mechanism ought to be worked out. 463To prevent the worst abuse, 464use of the 465.Fl a 466option is therefore highly recommended. 467.Pp 468The 469.Fl a 470matching algorithm does not pretend to be very efficient; 471use of numeric IP addresses is faster than domain name comparison. 472Since the allowed peer list is being walked linearly, 473peer groups where frequent messages are being anticipated 474from should be put early into the 475.Fl a 476list. 477.Pp 478The log socket was moved from 479.Pa /dev 480to ease the use of a read-only root file system. 481This may confuse 482some old binaries so that a symbolic link might be used for a 483transitional period. 484