1 .\" Copyright (c) 1990, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 4. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
29 .\" $FreeBSD: src/usr.sbin/syslogd/syslog.conf.5,v 1.46 2008/12/23 17:39:24 trhodes Exp $
30 .\" $DragonFly: src/usr.sbin/syslogd/syslog.conf.5,v 1.10 2008/04/20 21:14:39 swildner Exp $
43 file is the configuration file for the
47 blocks of lines separated by
51 specifications (separations appear alone on their lines),
52 with each line containing two fields: the
54 field which specifies the types of messages and priorities to which the
57 field which specifies the action to be taken if a message
59 receives matches the selection criteria.
62 field is separated from the
64 field by one or more tab characters or spaces.
66 Note that if you use spaces as separators, your
68 might be incompatible with other Unices or Unix-like systems.
69 This functionality was added for ease of configuration
70 (e.g.\& it is possible to cut-and-paste into
72 and to avoid possible mistakes.
73 This change however preserves
74 backwards compatibility with the old style of
76 (i.e., tab characters only).
84 an optional set of comparison flags
85 .Pq Oo \&! Oc Op <=> ,
88 with no intervening white-space.
97 describes the part of the system generating the message, and is one of
98 the following keywords:
99 .Cm auth , authpriv , console , cron , daemon , ftp , kern , lpr ,
100 .Cm mail , mark , news , ntp , security , syslog , user , uucp ,
105 These keywords (with the exception of mark) correspond to
108 values specified to the
116 may be used to specify exactly what is logged.
117 The default comparison is
121 which means that messages from the specified
123 list, and of a priority
124 level equal to or greater than
127 Comparison flags beginning with
129 will have their logical sense inverted.
132 means all levels except info and
134 has the same meaning as
139 describes the severity of the message, and is a keyword from the
140 following ordered list (higher to lower):
141 .Cm emerg , crit , alert , err , warning , notice , info
144 These keywords correspond to
147 values specified to the
151 Each block of lines is separated from the previous block by a
156 A block will only log messages corresponding to the most recent
160 specifications given.
161 Thus, with a block which selects
165 directly followed by a block that selects messages from the
168 the second block will only log messages
175 specification is a line beginning with
179 (the former is for compatibility with the previous syslogd, if one is sharing
182 and the following blocks will be associated with calls to
184 from that specific program.
189 will also match any message logged by the kernel with the prefix
195 specification works just like the previous one,
200 specification will match any message but the ones from that
202 Multiple programs may be listed, separated by commas:
204 matches messages from either program, while
206 matches all messages but those from
213 specification of the form
217 means the following blocks will be applied to messages
218 received from the specified hostname.
225 causes the following blocks to be applied to messages
226 from any host but the one specified.
227 If the hostname is given as
229 the local hostname will be used.
230 As for program specifications, multiple comma-separated
231 values may be specified for hostname specifications.
237 specification may be reset by giving the program or hostname as
242 for further descriptions of both the
246 keywords and their significance.
247 It is preferred that selections be made on
251 since the latter can easily vary in a networked environment.
253 though, an appropriate
255 simply does not exist.
257 If a received message matches the specified
259 and is of the specified
261 .Em (or a higher level) ,
262 and the first word in the message after the date matches the
264 the action specified in the
270 may be specified for a single
272 by separating them with semicolon
275 It is important to note, however, that each
277 can modify the ones preceding it.
281 may be specified for a single
283 by separating them with comma
289 can be used to specify all
299 receives a message at priority
304 This is not enabled by a
306 field containing an asterisk.
311 disables a particular
316 field of each line specifies the action to be taken when the
318 field selects a message.
319 There are five forms:
322 A pathname (beginning with a leading slash).
323 Selected messages are appended to the file.
325 To ensure that kernel messages are written to disk promptly,
329 after writing messages from the kernel.
330 Other messages are not synced explicitly.
331 You may prefix a pathname with the minus sign,
333 to forego syncing the specified file after every kernel message.
334 Note that you might lose information if the system crashes
335 immediately following a write attempt.
336 Nevertheless, using the
338 option may improve performance,
339 especially if the kernel is logging many messages.
341 A hostname (preceded by an at
344 Selected messages are forwarded to the
346 program on the named host.
347 If a port number is added after a colon
349 then that port will be used as the destination port
350 rather than the usual syslog port.
352 A comma separated list of users.
353 Selected messages are written to those users
354 if they are logged in.
357 Selected messages are written to all logged-in users.
361 followed by a pathname (beginning with a leading slash). Selected messages
362 are written to a circular log file.
365 for a discussion of circular log files.
369 followed by a command to pipe the selected
371 The command is passed to
373 for evaluation, so usual shell metacharacters or input/output
374 redirection can occur.
375 (Note however that redirecting
377 buffered output from the invoked command can cause additional delays,
378 or even lost output data in case a logging subprocess exited with a
380 The command itself runs with
389 will close the pipe to the process.
390 If the process did not exit
391 voluntarily, it will be sent a
393 signal after a grace period of up to 60 seconds.
395 The command will only be started once data arrives that should be piped
397 If it exited later, it will be restarted as necessary.
399 is desired that the subprocess should get exactly one line of input only
400 (which can be very resource-consuming if there are a lot of messages
401 flowing quickly), this can be achieved by exiting after just one line of
403 If necessary, a script wrapper can be written to this effect.
405 Unless the command is a full pipeline, it is probably useful to
406 start the command with
408 so that the invoking shell process does not wait for the command to
410 Warning: the process is started under the UID invoking
412 normally the superuser.
415 Blank lines and lines whose first non-blank character is a hash
417 character are ignored.
420 is placed in the middle of the line, the
422 character and the rest of the line after it is ignored.
423 To prevent special meaning, the
425 character may be escaped with
427 in this case preceding
431 is treated as an ordinary character.
432 .Sh IMPLEMENTATION NOTES
435 facility is usually reserved for messages
436 generated by the local kernel.
437 Other messages logged with facility
439 are usually translated to facility
441 This translation can be disabled;
446 .Bl -tag -width /etc/syslog.conf -compact
447 .It Pa /etc/syslog.conf
452 A configuration file might appear as follows:
454 # Log all kernel messages, authentication messages of
455 # level notice or higher, and anything of level err or
456 # higher to the console.
457 # Don't log private authentication messages!
458 *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
460 # Log anything (except mail) of level info or higher.
461 # Don't log private authentication messages!
462 *.info;mail.none;authpriv.none /var/log/messages
464 # Log daemon messages at debug level only
465 daemon.=debug /var/log/daemon.debug
467 # The authpriv file has restricted access.
468 authpriv.* /var/log/secure
470 # Log all the mail messages in one place.
471 mail.* /var/log/maillog
473 # Everybody gets emergency messages, plus log them on another
476 *.emerg @arpa.berkeley.edu
478 # Root and Eric get alert and higher messages.
481 # Save mail and news errors of level err and higher in a
483 uucp,news.crit /var/log/spoolerr
485 # Pipe all authentication messages to a filter.
486 auth.* |exec /usr/local/sbin/authfilter
488 # Save ftpd transactions along with mail and news
490 *.* /var/log/spoolerr
492 # Log all security messages to a separate file.
493 security.* /var/log/security
495 # Log all writes to /dev/console to a separate file.
496 console.* /var/log/console.log
498 # Log ipfw messages without syncing after every message.
506 The effects of multiple
508 are sometimes not intuitive.
513 facility messages at the level of
515 or higher, not at the level of
519 In networked environments, note that not all operating systems
520 implement the same set of facilities.
522 authpriv, cron, ftp, and ntp that are known to this implementation
523 might be absent on the target system.
526 uses facility number 10 (which is authpriv in this implementation) to
527 log events for their AdvFS file system.