1.\" Copyright (c) 1983, 1986, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)syslogd.8 8.1 (Berkeley) 6/6/93 29.\" $FreeBSD$ 30.\" 31.Dd July 2, 2018 32.Dt SYSLOGD 8 33.Os 34.Sh NAME 35.Nm syslogd 36.Nd log systems messages 37.Sh SYNOPSIS 38.Nm 39.Op Fl 468ACcdFHkNnosTuv 40.Op Fl a Ar allowed_peer 41.Op Fl b Ar bind_address 42.Op Fl f Ar config_file 43.Op Fl l Oo Ar mode Ns \&: Oc Ns Ar path 44.Op Fl M Ar fwd_length 45.Op Fl m Ar mark_interval 46.Op Fl O Ar format 47.Op Fl P Ar pid_file 48.Op Fl p Ar log_socket 49.Op Fl S Ar logpriv_socket 50.Sh DESCRIPTION 51The 52.Nm 53utility reads and logs messages to the system console, 54log files, 55other 56machines and/or users as specified by its configuration file. 57.Pp 58The options are as follows: 59.Bl -tag -width indent 60.It Fl 4 61Force 62.Nm 63to use IPv4 addresses only. 64.It Fl 6 65Force 66.Nm 67to use IPv6 addresses only. 68.It Fl 8 69Tells 70.Nm 71not to interfere with 8-bit data. 72Normally 73.Nm 74will replace C1 control characters 75.Pq ISO 8859 and Unicode characters 76with their 77.Dq M- Ns Em x 78equivalent. 79Note, this option does not change the way 80.Nm 81alters control characters 82.Pq see Xr iscntrl 3 . 83They will always be replaced with their 84.Dq ^ Ns Em x 85equivalent. 86.It Fl A 87Ordinarily, 88.Nm 89tries to send the message to only one address 90even if the host has more than one A or AAAA record. 91If this option is specified, 92.Nm 93tries to send the message to all addresses. 94.It Fl a Ar allowed_peer 95Allow 96.Ar allowed_peer 97to log to this 98.Nm 99using UDP datagrams. 100Multiple 101.Fl a 102options may be specified. 103.Pp 104The 105.Ar allowed_peer 106option may be any of the following: 107.Bl -tag -width "ipaddr[/prefixlen][:service]XX" 108.It Xo 109.Sm off 110.Ar ipaddr 111.Op / Ar masklen 112.Op \&: Ar service 113.Pp 114.Ar ipaddr 115.Op / Ar prefixlen 116.Op \&: Ar service 117.Sm on 118.Xc 119Accept datagrams from 120.Ar ipaddr , 121.Ar ipaddr 122can be specified as an IPv4 address or as an IPv6 123address enclosed with 124.Ql \&[ 125and 126.Ql \&] . 127If specified, 128.Ar service 129is the name or number of an UDP service (see 130.Xr services 5 ) 131the source packet must belong to. 132A 133.Ar service 134of 135.Ql \&* 136accepts UDP packets from any source port. 137The default 138.Ar service 139is 140.Ql syslog . 141If 142.Ar ipaddr 143is IPv4 address, a missing 144.Ar masklen 145will be substituted by the historic class A or class B netmasks if 146.Ar ipaddr 147belongs into the address range of class A or B, 148respectively, 149or by 24 otherwise. 150If 151.Ar ipaddr 152is IPv6 address, 153a missing 154.Ar masklen 155will be substituted by 128. 156.It Xo 157.Sm off 158.Ar domainname Op \&: Ar service 159.Sm on 160.Xc 161Accept datagrams where the reverse address lookup yields 162.Ar domainname 163for the sender address. 164The meaning of 165.Ar service 166is as explained above. 167.Ar domainname 168can contain special characters of a shell-style pattern such as 169.Ql Li \&* . 170.El 171.Pp 172The 173.Fl a 174options are ignored if the 175.Fl s 176option is also specified. 177.It Xo 178.Fl b 179.Sm off 180.Ar bind_address Op \&: Ar service 181.Sm on 182.Xc 183.It Xo 184.Fl b 185.Sm off 186.Li \&: Ar service 187.Sm on 188.Xc 189Bind to a specific address and/or port. 190The address can be specified as a hostname, 191and the port as a service name. 192If an IPv6 address is specified, it should be enclosed with 193.Ql \&[ 194and 195.Ql \&] . 196The default 197.Ar service 198is 199.Ql syslog . 200This option can be specified multiple times to bind to 201multiple addresses and/or ports. 202.It Fl C 203Create log files that do not exist 204.Pq permission is set to Ql Li 0600 . 205.It Fl c 206Disable the compression of repeated instances of the same line 207into a single line of the form 208.Dq Li "last message repeated N times" 209when the output is a pipe to another program. 210If specified twice, 211disable this compression in all cases. 212.It Fl d 213Put 214.Nm 215into debugging mode. 216This is probably only of use to developers working on 217.Nm . 218.It Fl f Ar config_file 219Specify the pathname of an alternate configuration file; 220the default is 221.Pa /etc/syslog.conf . 222.It Fl F 223Run 224.Nm 225in the foreground, 226rather than going into daemon mode. 227This is useful if some other process uses 228.Xr fork 2 229and 230.Xr exec 3 231to run 232.Nm , 233and wants to monitor when and how it exits. 234.It Fl H 235When logging remote messages use hostname from the message (if supplied) 236instead of using address from which the message was received. 237.It Fl k 238Disable the translation of 239messages received with facility 240.Dq kern 241to facility 242.Dq user . 243Usually the 244.Dq kern 245facility is reserved for messages read directly from 246.Pa /dev/klog . 247.It Fl M Ar fwd_length 248Set the limit on the length of forwarded messages. 249The minimum is 480 octets. 250The maximum for RFC 3164 output format is 1024 octets. 251The default is 1024 octets. 252.It Fl m Ar mark_interval 253Select the number of minutes between 254.Dq mark 255messages; 256the default is 20 minutes. 257.It Fl N 258Disable binding on UDP sockets. 259RFC 3164 recommends that outgoing 260.Nm 261messages should originate from the privileged port, 262this option 263.Em disables 264the recommended behavior. 265This option inherits 266.Fl s . 267.It Fl n 268Disable DNS query for every request. 269.It Fl O Ar format 270Select the output format of generated log messages. 271The values 272.Ar bsd 273and 274.Ar rfc3164 275are used to generate RFC 3164 log messages. 276The values 277.Ar syslog 278and 279.Ar rfc5424 280are used to generate RFC 5424 log messages, 281having RFC 3339 timestamps with microsecond precision. 282The default is to generate RFC 3164 log messages. 283.It Fl o 284Prefix kernel messages with the full kernel boot file as determined by 285.Xr getbootfile 3 . 286Without this, the kernel message prefix is always 287.Dq Li kernel: . 288.It Fl p Ar log_socket 289Specify the pathname of an alternate log socket to be used instead; 290the default is 291.Pa /var/run/log . 292When a single 293.Fl p 294option is specified, 295the default pathname is replaced with the specified one. 296When two or more 297.Fl p 298options are specified, 299the remaining pathnames are treated as additional log sockets. 300.It Fl P Ar pid_file 301Specify an alternative file in which to store the process ID. 302The default is 303.Pa /var/run/syslog.pid . 304.It Fl S Ar logpriv_socket 305Specify the pathname of an alternate log socket for privileged 306applications to be used instead; 307the default is 308.Pa /var/run/logpriv . 309When a single 310.Fl S 311option is specified, 312the default pathname is replaced with the specified one. 313When two or more 314.Fl S 315options are specified, 316the remaining pathnames are treated as additional log sockets. 317.It Fl l Oo Ar mode Ns \&: Oc Ns Ar path 318Specify a location where 319.Nm 320should place an additional log socket. 321The primary use for this is to place additional log sockets in 322.Pa /var/run/log 323of various chroot filespaces. 324File permissions for socket can be specified in octal representation in 325.Ar mode , 326delimited with a colon. 327The socket location must be specified as an absolute pathname in 328.Ar path . 329.It Fl s 330Operate in secure mode. 331Do not log messages from remote machines. 332If specified twice, 333no network socket will be opened at all, 334which also disables logging to remote machines. 335.It Fl T 336Always use the local time and date for messages received from the network, 337instead of the timestamp field supplied in the message by the remote host. 338This is useful if some of the originating hosts cannot keep time properly 339or are unable to generate a correct timestamp. 340.It Fl u 341Unique priority logging. 342Only log messages at the specified priority. 343Without this option, 344messages at the stated priority or higher are logged. 345This option changes the default comparison from 346.Dq => 347to 348.Dq = . 349.It Fl v 350Verbose logging. 351If specified once, 352the numeric facility and priority are 353logged with each locally-written message. 354If specified more than once, 355the names of the facility and priority are logged with each locally-written 356message. 357.Pp 358This option only affects the formatting of RFC 3164 messages. 359Messages formatted according to RFC 5424 always include a 360facility/priority number. 361.El 362.Pp 363The 364.Nm 365utility reads its configuration file when it starts up and whenever it 366receives a hangup signal. 367For information on the format of the configuration file, 368see 369.Xr syslog.conf 5 . 370.Pp 371The 372.Nm 373utility reads messages from the 374.Ux 375domain sockets 376.Pa /var/run/log 377and 378.Pa /var/run/logpriv , 379from an Internet domain socket specified in 380.Pa /etc/services , 381and from the special device 382.Pa /dev/klog 383.Pq to read kernel messages . 384.Pp 385The 386.Nm 387utility creates its process ID file, 388by default 389.Pa /var/run/syslog.pid , 390and stores its process 391ID there. 392This can be used to kill or reconfigure 393.Nm . 394.Pp 395The message sent to 396.Nm 397should consist of a single line. 398The message can contain a priority code, 399which should be a preceding 400decimal number in angle braces, 401for example, 402.Sq Aq 5 . 403This priority code should map into the priorities defined in the 404include file 405.In sys/syslog.h . 406.Pp 407For security reasons, 408.Nm 409will not append to log files that do not exist 410.Po unless Fl C 411option is specified 412.Pc ; 413therefore, they must be created manually before running 414.Nm . 415.Pp 416The date and time are taken from the received message. 417If the format of the timestamp field is incorrect, 418time obtained from the local host is used instead. 419This can be overridden by the 420.Fl T 421flag. 422.Sh FILES 423.Bl -tag -width /var/run/syslog.pid -compact 424.It Pa /etc/syslog.conf 425configuration file 426.It Pa /var/run/syslog.pid 427default process ID file 428.It Pa /var/run/log 429name of the 430.Ux 431domain datagram log socket 432.It Pa /var/run/logpriv 433.Ux 434socket for privileged applications 435.It Pa /dev/klog 436kernel log device 437.El 438.Sh SEE ALSO 439.Xr logger 1 , 440.Xr syslog 3 , 441.Xr services 5 , 442.Xr syslog.conf 5 , 443.Xr newsyslog 8 444.Sh HISTORY 445The 446.Nm 447utility appeared in 448.Bx 4.3 . 449.Pp 450The 451.Fl a , 452.Fl s , 453.Fl u , 454and 455.Fl v 456options are 457.Fx 2.2 458extensions. 459.Sh BUGS 460The ability to log messages received in UDP packets is equivalent to 461an unauthenticated remote disk-filling service, 462and should probably be disabled by default. 463Some sort of 464.No inter- Ns Nm syslogd 465authentication mechanism ought to be worked out. 466To prevent the worst abuse, 467use of the 468.Fl a 469option is therefore highly recommended. 470.Pp 471The 472.Fl a 473matching algorithm does not pretend to be very efficient; 474use of numeric IP addresses is faster than domain name comparison. 475Since the allowed peer list is being walked linearly, 476peer groups where frequent messages are being anticipated 477from should be put early into the 478.Fl a 479list. 480.Pp 481The log socket was moved from 482.Pa /dev 483to ease the use of a read-only root file system. 484This may confuse 485some old binaries so that a symbolic link might be used for a 486transitional period. 487