1 .\" Copyright (c) 1990, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. All advertising materials mentioning features or use of this software
13 .\" must display the following acknowledgement:
14 .\" This product includes software developed by the University of
15 .\" California, Berkeley and its contributors.
16 .\" 4. Neither the name of the University nor the names of its contributors
17 .\" may be used to endorse or promote products derived from this software
18 .\" without specific prior written permission.
20 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
33 .\" $FreeBSD: src/usr.sbin/syslogd/syslog.conf.5,v 1.16.2.11 2003/03/12 22:08:15 trhodes Exp $
34 .\" $DragonFly: src/usr.sbin/syslogd/syslog.conf.5,v 1.2 2003/06/17 04:30:03 dillon Exp $
47 file is the configuration file for the
51 blocks of lines separated by
55 specifications (separations appear along on the line),
56 with each line containing two fields: the
58 field which specifies the types of messages and priorities to which the
61 field which specifies the action to be taken if a message
63 receives matches the selection criteria.
66 field is separated from the
68 field by one or more tab characters or spaces.
70 Note that if you use spaces as separators, your
72 might be incompatible with other Unices or Unix-like systems.
73 This functionality was added for ease of configuration
74 (e.g. it is possible to cut-and-paste into
76 and to avoid possible mistakes.
77 This change however preserves
78 backwards compatibility with the old style of
80 (i.e. tab characters only).
88 an optional set of comparison flags
89 .Pq Oo \&! Oc Op <=> ,
92 with no intervening white-space.
101 describes the part of the system generating the message, and is one of
102 the following keywords: auth, authpriv, console, cron, daemon, ftp, kern,
103 lpr, mail, mark, news, ntp, security, syslog, user, uucp and local0 through
105 These keywords (with the exception of mark) correspond to
108 values specified to the
116 may be used to specify exactly what is logged.
117 The default comparison is
121 which means that messages from the specified
123 list, and of a priority
124 level equal to or greater than
127 Comparison flags beginning with
129 will have their logical sense inverted.
132 means all levels except info and
134 has the same meaning as
139 describes the severity of the message, and is a keyword from the
140 following ordered list (higher to lower): emerg, alert, crit, err,
141 warning, notice, info and debug.
142 These keywords correspond to
145 values specified to the
149 Each block of lines is separated from the previous block by a
154 A block will only log messages corresponding to the most recent
158 specifications given.
159 Thus, with a block which selects
163 directly followed by a block that selects messages from the
166 the second block will only log messages
173 specification is a line beginning with
177 (the former is for compatibility with the previous syslogd, if one is sharing
180 and the following blocks will be associated with calls to
182 from that specific program.
187 will also match any message logged by the kernel with the prefix
193 specification works just like the previous one,
198 specification will match any message but the ones from that
202 specification of the form
206 means the following blocks will be applied to messages
207 received from the specified hostname.
214 causes the following blocks to be applied to messages
215 from any host but the one specified.
216 If the hostname is given as
218 the local hostname will be used.
223 specification may be reset by giving the program or hostname as
228 for further descriptions of both the
232 keywords and their significance.
233 It's preferred that selections be made on
237 since the latter can easily vary in a networked environment.
239 though, an appropriate
241 simply doesn't exist.
243 If a received message matches the specified
245 and is of the specified
247 .Em (or a higher level) ,
248 and the first word in the message after the date matches the
250 the action specified in the
256 may be specified for a single
258 by separating them with semicolon
261 It is important to note, however, that each
263 can modify the ones preceding it.
267 may be specified for a single
269 by separating them with comma
275 can be used to specify all
285 receives a message at priority
290 This is not enabled by a
292 field containing an asterisk.
297 disables a particular
302 field of each line specifies the action to be taken when the
304 field selects a message.
305 There are five forms:
308 A pathname (beginning with a leading slash).
309 Selected messages are appended to the file.
311 A hostname (preceded by an at
314 Selected messages are forwarded to the
316 program on the named host.
318 A comma separated list of users.
319 Selected messages are written to those users
320 if they are logged in.
323 Selected messages are written to all logged-in users.
327 followed by a command to pipe the selected
328 messages to. The command is passed to
330 for evaluation, so usual shell metacharacters or input/output
331 redirection can occur. (Note however that redirecting
333 buffered output from the invoked command can cause additional delays,
334 or even lost output data in case a logging subprocess exited with a
335 signal.) The command itself runs with
344 will close the pipe to the process. If the process didn't exit
345 voluntarily, it will be sent a
347 signal after a grace period of up to 60 seconds.
349 The command will only be started once data arrives that should be piped
350 to it. If it exited later, it will be restarted as necessary. So if it
351 is desired that the subprocess should get exactly one line of input only
352 (which can be very resource-consuming if there are a lot of messages
353 flowing quickly), this can be achieved by exiting after just one line of
354 input. If necessary, a script wrapper can be written to this effect.
356 Unless the command is a full pipeline, it's probably useful to
357 start the command with
359 so that the invoking shell process does not wait for the command to
360 complete. Warning: the process is started under the UID invoking
362 normally the superuser.
365 Blank lines and lines whose first non-blank character is a hash
367 character are ignored.
369 A configuration file might appear as follows:
371 # Log all kernel messages, authentication messages of
372 # level notice or higher, and anything of level err or
373 # higher to the console.
374 # Don't log private authentication messages!
375 *.err;kern.*;auth.notice;authpriv.none /dev/console
377 # Log anything (except mail) of level info or higher.
378 # Don't log private authentication messages!
379 *.info;mail.none;authpriv.none /var/log/messages
381 # Log daemon messages at debug level only
382 daemon.=debug /var/log/daemon.debug
384 # The authpriv file has restricted access.
385 authpriv.* /var/log/secure
387 # Log all the mail messages in one place.
388 mail.* /var/log/maillog
390 # Everybody gets emergency messages, plus log them on another
393 *.emerg @arpa.berkeley.edu
395 # Root and Eric get alert and higher messages.
398 # Save mail and news errors of level err and higher in a
400 uucp,news.crit /var/log/spoolerr
402 # Pipe all authentication messages to a filter.
403 auth.* |exec /usr/local/sbin/authfilter
405 # Save ftpd transactions along with mail and news
407 *.* /var/log/spoolerr
409 # Log all security messages to a separate file.
410 security.* /var/log/security
412 # Log all writes to /dev/console to a separate file.
413 console.* /var/log/console.log
415 .Sh IMPLEMENTATION NOTES
418 facility is usually reserved for messages
419 generated by the local kernel.
420 Other messages logged with facility
422 are usually translated to facility
424 This translation can be disabled;
429 .Bl -tag -width /etc/syslog.conf -compact
430 .It Pa /etc/syslog.conf
435 The effects of multiple
437 are sometimes not intuitive.
442 facility messages at the level of
444 or higher, not at the level of
448 In networked environments, note that not all operating systems
449 implement the same set of facilities. The facilities
450 authpriv, cron, ftp, and ntp that are known to this implementation
451 might be absent on the target system. Even worse, DEC UNIX uses
452 facility number 10 (which is authpriv in this implementation) to
453 log events for their AdvFS file system.