Copyright (c) 2013 Gary Mills
Copyright (c) 2003 Sun Microsystems, Inc. All Rights Reserved.
Copyright (c) 1983 Regents of the University of California. All rights reserved. The Berkeley software License Agreement specifies the terms and conditions for redistribution.
/etc/syslog.conf
The file /etc/syslog.conf contains information used by the system log daemon, syslogd(1M), to forward a system message to appropriate log files and/or users. syslogd preprocesses this file through m4(1) to obtain the correct information for certain log files, defining LOGHOST if the address of "loghost" is the same as one of the addresses of the host that is running syslogd.
A configuration entry is composed of two TAB-separated fields:
selector action
The selector field contains a semicolon-separated list of priority specifications of the form:
facility.level [ ; facility.level ]
where facility is a system facility, or comma-separated list of facilities, and level is an indication of the severity of the condition being logged. The presence of a facility name only implies that it is available. Each individual service determines which facility it will use for logging. In particular, many facilities are only useful for syslog messages that are forwarded from other operating systems. Recognized values for facility include: kern
Messages generated by the kernel.
Messages generated by user processes. This is the default priority for messages from programs or facilities not listed in this file.
The mail system.
Various system daemons.
The authorization system: login(1), su(1M), getty(1M), among others.
The line printer spooling system: lpr(1B), lpc(1B), among others.
Designated for the USENET network news system.
Designated for the UUCP system; it does not currently use the syslog mechanism.
Designated for the BSD security/authorization system.
Designated for the file transfer system. The current version of in.ftpd(1M) does not use this facility for logging.
Designated for the network time system.
Designated for audit messages generated by systems that audit by means of syslog.
Designated for the BSD console system.
Designated for cron/at messages generated by systems that do logging through syslog. The current versions of cron and at do not use this facility for logging.
Designated for local use.
For timestamp messages produced internally by syslogd.
An asterisk indicates all facilities except for the mark facility.
Recognized values for level are (in descending order of severity): emerg
For panic conditions that would normally be broadcast to all users.
For conditions that should be corrected immediately, such as a corrupted system database.
For warnings about critical conditions, such as hard device errors.
For other errors.
For warning messages.
For conditions that are not error conditions, but may require special handling. A configuration entry with a level value of notice must appear on a separate line.
Informational messages.
For messages that are normally used only when debugging a program.
Do not send messages from the indicated facility to the selected file. For example, a selector of *.debug;mail.none sends all messages except mail messages to the selected file.
For a given facility and level, syslogd matches all messages for that level and all higher levels. For example, an entry that specifies a level of crit also logs messages at the alert and emerg levels.
The action field indicates where to forward the message. Values for this field can have one of four forms:
A filename, beginning with a leading slash, which indicates that messages specified by the selector are to be written to the specified file. The file is opened in append mode if it exists. If the file does not exist, logging silently fails for this action.
The name of a remote host, prefixed with an @, as with: @server, which indicates that messages specified by the selector are to be forwarded to the syslogd on the named host. The hostname "loghost" is treated, in the default syslog.conf, as the hostname given to the machine that logs syslogd messages. Every machine is "loghost" by default, per the hosts database. It is also possible to specify one machine on a network to be "loghost" by, literally, naming the machine "loghost". If the local machine is designated to be "loghost", then syslogd messages are written to the appropriate files. Otherwise, they are sent to the machine "loghost" on the network.
A comma-separated list of usernames, which indicates that messages specified by the selector are to be written to the named users if they are logged in.
An asterisk, which indicates that messages specified by the selector are to be written to all logged-in users.
Blank lines are ignored. Lines for which the first nonwhite character is a '#' are treated as comments.
Example 1 A Sample Configuration File
With the following configuration file:
*.notice /var/log/notice |
mail.info /var/log/notice |
*.crit /var/log/critical |
kern,mark.debug /dev/console |
kern.err @server |
*.emerg * |
*.alert root,operator |
*.alert;auth.warning /var/log/auth |
syslogd(1M) logs all mail system messages except debug messages and all notice (or higher) messages into a file named /var/log/notice. It logs all critical messages into /var/log/critical, and all kernel messages and 20-minute marks onto the system console.
Kernel messages of err (error) severity or higher are forwarded to the machine named server. Emergency messages are forwarded to all users. The users root and operator are informed of any alert messages. All messages from the authorization system of warning level or higher are logged in the file /var/log/auth.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE ATTRIBUTE VALUE |
Interface Stability Stable |
at(1), crontab(1), logger(1), login(1), lp(1), lpc(1B), lpr(1B), m4(1), cron(1M), getty(1M), in.ftpd(1M), su(1M), syslogd(1M), syslog(3C), hosts(4), attributes(5)