1.\" Copyright (c) 1983, 1986, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd July 2, 2018 29.Dt SYSLOGD 8 30.Os 31.Sh NAME 32.Nm syslogd 33.Nd log systems messages 34.Sh SYNOPSIS 35.Nm 36.Op Fl 468ACcdFHkNnosTuv 37.Op Fl a Ar allowed_peer 38.Op Fl b Ar bind_address 39.Op Fl f Ar config_file 40.Op Fl l Oo Ar mode Ns \&: Oc Ns Ar path 41.Op Fl M Ar fwd_length 42.Op Fl m Ar mark_interval 43.Op Fl O Ar format 44.Op Fl P Ar pid_file 45.Op Fl p Ar log_socket 46.Op Fl S Ar logpriv_socket 47.Sh DESCRIPTION 48The 49.Nm 50utility reads and logs messages to the system console, 51log files, 52other 53machines and/or users as specified by its configuration file. 54.Pp 55The options are as follows: 56.Bl -tag -width indent 57.It Fl 4 58Force 59.Nm 60to use IPv4 addresses only. 61.It Fl 6 62Force 63.Nm 64to use IPv6 addresses only. 65.It Fl 8 66Tells 67.Nm 68not to interfere with 8-bit data. 69Normally 70.Nm 71will replace C1 control characters 72.Pq ISO 8859 and Unicode characters 73with their 74.Dq M- Ns Em x 75equivalent. 76Note, this option does not change the way 77.Nm 78alters control characters 79.Pq see Xr iscntrl 3 . 80They will always be replaced with their 81.Dq ^ Ns Em x 82equivalent. 83.It Fl A 84Ordinarily, 85.Nm 86tries to send the message to only one address 87even if the host has more than one A or AAAA record. 88If this option is specified, 89.Nm 90tries to send the message to all addresses. 91.It Fl a Ar allowed_peer 92Allow 93.Ar allowed_peer 94to log to this 95.Nm 96using UDP datagrams. 97Multiple 98.Fl a 99options may be specified. 100.Pp 101The 102.Ar allowed_peer 103option may be any of the following: 104.Bl -tag -width "ipaddr[/prefixlen][:service]XX" 105.It Xo 106.Sm off 107.Ar ipaddr 108.Op / Ar masklen 109.Op \&: Ar service 110.Pp 111.Ar ipaddr 112.Op / Ar prefixlen 113.Op \&: Ar service 114.Sm on 115.Xc 116Accept datagrams from 117.Ar ipaddr , 118.Ar ipaddr 119can be specified as an IPv4 address or as an IPv6 120address enclosed with 121.Ql \&[ 122and 123.Ql \&] . 124If specified, 125.Ar service 126is the name or number of an UDP service (see 127.Xr services 5 ) 128the source packet must belong to. 129A 130.Ar service 131of 132.Ql \&* 133accepts UDP packets from any source port. 134The default 135.Ar service 136is 137.Ql syslog . 138If 139.Ar ipaddr 140is IPv4 address, a missing 141.Ar masklen 142will be substituted by the historic class A or class B netmasks if 143.Ar ipaddr 144belongs into the address range of class A or B, 145respectively, 146or by 24 otherwise. 147If 148.Ar ipaddr 149is IPv6 address, 150a missing 151.Ar masklen 152will be substituted by 128. 153.It Xo 154.Sm off 155.Ar domainname Op \&: Ar service 156.Sm on 157.Xc 158Accept datagrams where the reverse address lookup yields 159.Ar domainname 160for the sender address. 161The meaning of 162.Ar service 163is as explained above. 164.Ar domainname 165can contain special characters of a shell-style pattern such as 166.Ql Li \&* . 167.El 168.Pp 169The 170.Fl a 171options are ignored if the 172.Fl s 173option is also specified. 174.It Xo 175.Fl b 176.Sm off 177.Ar bind_address Op \&: Ar service 178.Sm on 179.Xc 180.It Xo 181.Fl b 182.Sm off 183.Li \&: Ar service 184.Sm on 185.Xc 186Bind to a specific address and/or port. 187The address can be specified as a hostname, 188and the port as a service name. 189If an IPv6 address is specified, it should be enclosed with 190.Ql \&[ 191and 192.Ql \&] . 193The default 194.Ar service 195is 196.Ql syslog . 197This option can be specified multiple times to bind to 198multiple addresses and/or ports. 199.It Fl C 200Create log files that do not exist 201.Pq permission is set to Ql Li 0600 . 202.It Fl c 203Disable the compression of repeated instances of the same line 204into a single line of the form 205.Dq Li "last message repeated N times" 206when the output is a pipe to another program. 207If specified twice, 208disable this compression in all cases. 209.It Fl d 210Put 211.Nm 212into debugging mode. 213This is probably only of use to developers working on 214.Nm . 215.It Fl f Ar config_file 216Specify the pathname of an alternate configuration file; 217the default is 218.Pa /etc/syslog.conf . 219.It Fl F 220Run 221.Nm 222in the foreground, 223rather than going into daemon mode. 224This is useful if some other process uses 225.Xr fork 2 226and 227.Xr exec 3 228to run 229.Nm , 230and wants to monitor when and how it exits. 231.It Fl H 232When logging remote messages use hostname from the message (if supplied) 233instead of using address from which the message was received. 234.It Fl k 235Disable the translation of 236messages received with facility 237.Dq kern 238to facility 239.Dq user . 240Usually the 241.Dq kern 242facility is reserved for messages read directly from 243.Pa /dev/klog . 244.It Fl M Ar fwd_length 245Set the limit on the length of forwarded messages. 246The minimum is 480 octets. 247The maximum for RFC 3164 output format is 1024 octets. 248The default is 1024 octets. 249.It Fl m Ar mark_interval 250Select the number of minutes between 251.Dq mark 252messages; 253the default is 20 minutes. 254.It Fl N 255Disable binding on UDP sockets. 256RFC 3164 recommends that outgoing 257.Nm 258messages should originate from the privileged port, 259this option 260.Em disables 261the recommended behavior. 262This option inherits 263.Fl s . 264.It Fl n 265Disable DNS query for every request. 266.It Fl O Ar format 267Select the output format of generated log messages. 268The values 269.Ar bsd 270and 271.Ar rfc3164 272are used to generate legacy RFC 3164 log messages. 273The value 274.Ar rfc3164-strict 275is used to generate log messages using the RFC 3164 recommended format, 276where messages sent over the network include the hostname, 277and messages forwarded by a relay exclude the 278.Dq Forwarded from 279field. 280The values 281.Ar syslog 282and 283.Ar rfc5424 284are used to generate RFC 5424 log messages, 285having RFC 3339 timestamps with microsecond precision. 286The default is to generate legacy RFC 3164 log messages. 287.It Fl o 288Prefix kernel messages with the full kernel boot file as determined by 289.Xr getbootfile 3 . 290Without this, the kernel message prefix is always 291.Dq Li kernel: . 292.It Fl p Ar log_socket 293Specify the pathname of an alternate log socket to be used instead; 294the default is 295.Pa /var/run/log . 296When a single 297.Fl p 298option is specified, 299the default pathname is replaced with the specified one. 300When two or more 301.Fl p 302options are specified, 303the remaining pathnames are treated as additional log sockets. 304.It Fl P Ar pid_file 305Specify an alternative file in which to store the process ID. 306The default is 307.Pa /var/run/syslog.pid . 308.It Fl S Ar logpriv_socket 309Specify the pathname of an alternate log socket for privileged 310applications to be used instead; 311the default is 312.Pa /var/run/logpriv . 313When a single 314.Fl S 315option is specified, 316the default pathname is replaced with the specified one. 317When two or more 318.Fl S 319options are specified, 320the remaining pathnames are treated as additional log sockets. 321.It Fl l Oo Ar mode Ns \&: Oc Ns Ar path 322Specify a location where 323.Nm 324should place an additional log socket. 325The primary use for this is to place additional log sockets in 326.Pa /var/run/log 327of various chroot filespaces. 328File permissions for socket can be specified in octal representation in 329.Ar mode , 330delimited with a colon. 331The socket location must be specified as an absolute pathname in 332.Ar path . 333.It Fl s 334Operate in secure mode. 335Do not log messages from remote machines. 336If specified twice, 337no network socket will be opened at all, 338which also disables logging to remote machines. 339.It Fl T 340Always use the local time and date for messages received from the network, 341instead of the timestamp field supplied in the message by the remote host. 342This is useful if some of the originating hosts cannot keep time properly 343or are unable to generate a correct timestamp. 344.It Fl u 345Unique priority logging. 346Only log messages at the specified priority. 347Without this option, 348messages at the stated priority or higher are logged. 349This option changes the default comparison from 350.Dq => 351to 352.Dq = . 353.It Fl v 354Verbose logging. 355If specified once, 356the numeric facility and priority are 357logged with each locally-written message. 358If specified more than once, 359the names of the facility and priority are logged with each locally-written 360message. 361.Pp 362This option only affects the formatting of RFC 3164 messages. 363Messages formatted according to RFC 5424 always include a 364facility/priority number. 365.El 366.Pp 367The 368.Nm 369utility reads its configuration file when it starts up and whenever it 370receives a hangup signal. 371For information on the format of the configuration file, 372see 373.Xr syslog.conf 5 . 374.Pp 375The 376.Nm 377utility reads messages from the 378.Ux 379domain sockets 380.Pa /var/run/log 381and 382.Pa /var/run/logpriv , 383from an Internet domain socket specified in 384.Pa /etc/services , 385and from the special device 386.Pa /dev/klog 387.Pq to read kernel messages . 388.Pp 389The 390.Nm 391utility creates its process ID file, 392by default 393.Pa /var/run/syslog.pid , 394and stores its process 395ID there. 396This can be used to kill or reconfigure 397.Nm . 398.Pp 399The message sent to 400.Nm 401should consist of a single line. 402The message can contain a priority code, 403which should be a preceding 404decimal number in angle braces, 405for example, 406.Sq Aq 5 . 407This priority code should map into the priorities defined in the 408include file 409.In sys/syslog.h . 410.Pp 411For security reasons, 412.Nm 413will not append to log files that do not exist 414.Po unless Fl C 415option is specified 416.Pc ; 417therefore, they must be created manually before running 418.Nm . 419.Pp 420The date and time are taken from the received message. 421If the format of the timestamp field is incorrect, 422time obtained from the local host is used instead. 423This can be overridden by the 424.Fl T 425flag. 426.Sh FILES 427.Bl -tag -width /var/run/syslog.pid -compact 428.It Pa /etc/syslog.conf 429configuration file 430.It Pa /var/run/syslog.pid 431default process ID file 432.It Pa /var/run/log 433name of the 434.Ux 435domain datagram log socket 436.It Pa /var/run/logpriv 437.Ux 438socket for privileged applications 439.It Pa /dev/klog 440kernel log device 441.El 442.Sh SEE ALSO 443.Xr logger 1 , 444.Xr syslog 3 , 445.Xr services 5 , 446.Xr syslog.conf 5 , 447.Xr newsyslog 8 448.Sh HISTORY 449The 450.Nm 451utility appeared in 452.Bx 4.3 . 453.Pp 454The 455.Fl a , 456.Fl s , 457.Fl u , 458and 459.Fl v 460options are 461.Fx 2.2 462extensions. 463.Sh BUGS 464The ability to log messages received in UDP packets is equivalent to 465an unauthenticated remote disk-filling service, 466and should probably be disabled by default. 467Some sort of 468.No inter- Ns Nm syslogd 469authentication mechanism ought to be worked out. 470To prevent the worst abuse, 471use of the 472.Fl a 473option is therefore highly recommended. 474.Pp 475The 476.Fl a 477matching algorithm does not pretend to be very efficient; 478use of numeric IP addresses is faster than domain name comparison. 479Since the allowed peer list is being walked linearly, 480peer groups where frequent messages are being anticipated 481from should be put early into the 482.Fl a 483list. 484.Pp 485The log socket was moved from 486.Pa /dev 487to ease the use of a read-only root file system. 488This may confuse 489some old binaries so that a symbolic link might be used for a 490transitional period. 491