1 .\" Copyright (c) 1990, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
42 file is the configuration file for the
46 blocks of lines separated by
50 specifications (separations appear alone on their lines),
51 with each line containing two fields: the
53 field which specifies the types of messages and priorities to which the
56 field which specifies the action to be taken if a message
58 receives matches the selection criteria.
61 field is separated from the
63 field by one or more tab characters or spaces.
67 keyword can be used to include all files with names ending in '.conf' and not
68 beginning with a '.' contained in the directory following the keyword.
69 This keyword can only be used in the first level configuration file.
71 Note that if you use spaces as separators, your
73 might be incompatible with other Unices or Unix-like systems.
74 This functionality was added for ease of configuration
75 (e.g.\& it is possible to cut-and-paste into
77 and to avoid possible mistakes.
78 This change however preserves
79 backwards compatibility with the old style of
81 (i.e., tab characters only).
89 an optional set of comparison flags
90 .Pq Oo \&! Oc Op <=> ,
93 with no intervening white-space.
102 describes the part of the system generating the message, and is one of
103 the following keywords:
104 .Cm auth , authpriv , console , cron , daemon , ftp , kern , lpr ,
105 .Cm mail , mark , news , ntp , security , syslog , user , uucp ,
110 These keywords (with the exception of mark) correspond to
113 values specified to the
121 may be used to specify exactly what is logged.
122 The default comparison is
126 which means that messages from the specified
128 list, and of a priority
129 level equal to or greater than
132 Comparison flags beginning with
134 will have their logical sense inverted.
137 means all levels except info and
139 has the same meaning as
144 describes the severity of the message, and is a keyword from the
145 following ordered list (higher to lower):
146 .Cm emerg , crit , alert , err , warning , notice , info
149 These keywords correspond to
152 values specified to the
156 Each block of lines is separated from the previous block by a
161 A block will only log messages corresponding to the most recent
165 specifications given.
166 Thus, with a block which selects
170 directly followed by a block that selects messages from the
173 the second block will only log messages
180 specification is a line beginning with
184 (the former is for compatibility with the previous syslogd, if one is sharing
187 and the following blocks will be associated with calls to
189 from that specific program.
194 will also match any message logged by the kernel with the prefix
200 specification works just like the previous one,
205 specification will match any message but the ones from that
207 Multiple programs may be listed, separated by commas:
209 matches messages from either program, while
211 matches all messages but those from
218 specification of the form
222 means the following blocks will be applied to messages
223 received from the specified hostname.
230 causes the following blocks to be applied to messages
231 from any host but the one specified.
232 If the hostname is given as
234 the local hostname will be used.
235 As for program specifications, multiple comma-separated
236 values may be specified for hostname specifications.
242 specification may be reset by giving the program or hostname as
247 for further descriptions of both the
251 keywords and their significance.
252 It is preferred that selections be made on
256 since the latter can easily vary in a networked environment.
258 though, an appropriate
260 simply does not exist.
262 If a received message matches the specified
264 and is of the specified
266 .Em (or a higher level) ,
267 and the first word in the message after the date matches the
269 the action specified in the
275 may be specified for a single
277 by separating them with semicolon
280 It is important to note, however, that each
282 can modify the ones preceding it.
286 may be specified for a single
288 by separating them with comma
294 can be used to specify all
304 receives a message at priority
309 This is not enabled by a
311 field containing an asterisk.
316 disables a particular
321 field of each line specifies the action to be taken when the
323 field selects a message.
324 There are five forms:
327 A pathname (beginning with a leading slash).
328 Selected messages are appended to the file.
330 To ensure that kernel messages are written to disk promptly,
334 after writing messages from the kernel.
335 Other messages are not synced explicitly.
336 You may prefix a pathname with the minus sign,
338 to forego syncing the specified file after every kernel message.
339 Note that you might lose information if the system crashes
340 immediately following a write attempt.
341 Nevertheless, using the
343 option may improve performance,
344 especially if the kernel is logging many messages.
346 A hostname (preceded by an at
349 Selected messages are forwarded to the
351 program on the named host.
352 If a port number is added after a colon
354 then that port will be used as the destination port
355 rather than the usual syslog port.
356 IPv6 addresses can be used
357 by surrounding the address portion with
365 A comma separated list of users.
366 Selected messages are written to those users
367 if they are logged in.
370 Selected messages are written to all logged-in users.
374 followed by a command to pipe the selected
376 The command is passed to
378 for evaluation, so usual shell metacharacters or input/output
379 redirection can occur.
380 (Note however that redirecting
382 buffered output from the invoked command can cause additional delays,
383 or even lost output data in case a logging subprocess exited with a
385 The command itself runs with
394 will close the pipe to the process.
395 If the process did not exit
396 voluntarily, it will be sent a
398 signal after a grace period of up to 60 seconds.
400 The command will only be started once data arrives that should be piped
402 If it exited later, it will be restarted as necessary.
404 is desired that the subprocess should get exactly one line of input only
405 (which can be very resource-consuming if there are a lot of messages
406 flowing quickly), this can be achieved by exiting after just one line of
408 If necessary, a script wrapper can be written to this effect.
410 Unless the command is a full pipeline, it is probably useful to
411 start the command with
413 so that the invoking shell process does not wait for the command to
415 Warning: the process is started under the UID invoking
417 normally the superuser.
420 Blank lines and lines whose first non-blank character is a hash
422 character are ignored.
425 is placed in the middle of the line, the
427 character and the rest of the line after it is ignored.
428 To prevent special meaning, the
430 character may be escaped with
432 in this case preceding
436 is treated as an ordinary character.
437 .Sh IMPLEMENTATION NOTES
440 facility is usually reserved for messages
441 generated by the local kernel.
442 Other messages logged with facility
444 are usually translated to facility
446 This translation can be disabled;
451 .Bl -tag -width /etc/syslog.conf -compact
452 .It Pa /etc/syslog.conf
457 A configuration file might appear as follows:
459 # Log all kernel messages, authentication messages of
460 # level notice or higher, and anything of level err or
461 # higher to the console.
462 # Don't log private authentication messages!
463 *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
465 # Log anything (except mail) of level info or higher.
466 # Don't log private authentication messages!
467 *.info;mail.none;authpriv.none /var/log/messages
469 # Log daemon messages at debug level only
470 daemon.=debug /var/log/daemon.debug
472 # The authpriv file has restricted access.
473 authpriv.* /var/log/secure
475 # Log all the mail messages in one place.
476 mail.* /var/log/maillog
478 # Everybody gets emergency messages, plus log them on another
481 *.emerg @arpa.berkeley.edu
483 # Root and Eric get alert and higher messages.
486 # Save mail and news errors of level err and higher in a
488 uucp,news.crit /var/log/spoolerr
490 # Pipe all authentication messages to a filter.
491 auth.* |exec /usr/local/sbin/authfilter
493 # Log all security messages to a separate file.
494 security.* /var/log/security
496 # Log all writes to /dev/console to a separate file.
497 console.* /var/log/console.log
499 # Save ftpd transactions along with mail and news
501 *.* /var/log/spoolerr
503 # Log ipfw messages without syncing after every message.
511 The effects of multiple
513 are sometimes not intuitive.
518 facility messages at the level of
520 or higher, not at the level of
524 In networked environments, note that not all operating systems
525 implement the same set of facilities.
527 authpriv, cron, ftp, and ntp that are known to this implementation
528 might be absent on the target system.
529 Even worse, DEC UNIX uses
530 facility number 10 (which is authpriv in this implementation) to
531 log events for their AdvFS file system.