1 .\" Copyright (c) 1990, 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 4. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
42 file is the configuration file for the
46 blocks of lines separated by
50 specifications (separations appear alone on their lines),
51 with each line containing two fields: the
53 field which specifies the types of messages and priorities to which the
56 field which specifies the action to be taken if a message
58 receives matches the selection criteria.
61 field is separated from the
63 field by one or more tab characters or spaces.
65 Note that if you use spaces as separators, your
67 might be incompatible with other Unices or Unix-like systems.
68 This functionality was added for ease of configuration
69 (e.g.\& it is possible to cut-and-paste into
71 and to avoid possible mistakes.
72 This change however preserves
73 backwards compatibility with the old style of
75 (i.e., tab characters only).
83 an optional set of comparison flags
84 .Pq Oo \&! Oc Op <=> ,
87 with no intervening white-space.
96 describes the part of the system generating the message, and is one of
97 the following keywords:
98 .Cm auth , authpriv , console , cron , daemon , ftp , kern , lpr ,
99 .Cm mail , mark , news , ntp , security , syslog , user , uucp ,
104 These keywords (with the exception of mark) correspond to
107 values specified to the
115 may be used to specify exactly what is logged.
116 The default comparison is
120 which means that messages from the specified
122 list, and of a priority
123 level equal to or greater than
126 Comparison flags beginning with
128 will have their logical sense inverted.
131 means all levels except info and
133 has the same meaning as
138 describes the severity of the message, and is a keyword from the
139 following ordered list (higher to lower):
140 .Cm emerg , crit , alert , err , warning , notice , info
143 These keywords correspond to
146 values specified to the
150 Each block of lines is separated from the previous block by a
155 A block will only log messages corresponding to the most recent
159 specifications given.
160 Thus, with a block which selects
164 directly followed by a block that selects messages from the
167 the second block will only log messages
174 specification is a line beginning with
178 (the former is for compatibility with the previous syslogd, if one is sharing
181 and the following blocks will be associated with calls to
183 from that specific program.
188 will also match any message logged by the kernel with the prefix
194 specification works just like the previous one,
199 specification will match any message but the ones from that
201 Multiple programs may be listed, separated by commas:
203 matches messages from either program, while
205 matches all messages but those from
212 specification of the form
216 means the following blocks will be applied to messages
217 received from the specified hostname.
224 causes the following blocks to be applied to messages
225 from any host but the one specified.
226 If the hostname is given as
228 the local hostname will be used.
229 As for program specifications, multiple comma-separated
230 values may be specified for hostname specifications.
236 specification may be reset by giving the program or hostname as
241 for further descriptions of both the
245 keywords and their significance.
246 It is preferred that selections be made on
250 since the latter can easily vary in a networked environment.
252 though, an appropriate
254 simply does not exist.
256 If a received message matches the specified
258 and is of the specified
260 .Em (or a higher level) ,
261 and the first word in the message after the date matches the
263 the action specified in the
269 may be specified for a single
271 by separating them with semicolon
274 It is important to note, however, that each
276 can modify the ones preceding it.
280 may be specified for a single
282 by separating them with comma
288 can be used to specify all
298 receives a message at priority
303 This is not enabled by a
305 field containing an asterisk.
310 disables a particular
315 field of each line specifies the action to be taken when the
317 field selects a message.
318 There are five forms:
321 A pathname (beginning with a leading slash).
322 Selected messages are appended to the file.
324 To ensure that kernel messages are written to disk promptly,
328 after writing messages from the kernel.
329 Other messages are not synced explicitly.
330 You may prefix a pathname with the minus sign,
332 to forego syncing the specified file after every kernel message.
333 Note that you might lose information if the system crashes
334 immediately following a write attempt.
335 Nevertheless, using the
337 option may improve performance,
338 especially if the kernel is logging many messages.
340 A hostname (preceded by an at
343 Selected messages are forwarded to the
345 program on the named host.
346 If a port number is added after a colon
348 then that port will be used as the destination port
349 rather than the usual syslog port.
351 A comma separated list of users.
352 Selected messages are written to those users
353 if they are logged in.
356 Selected messages are written to all logged-in users.
360 followed by a command to pipe the selected
362 The command is passed to
364 for evaluation, so usual shell metacharacters or input/output
365 redirection can occur.
366 (Note however that redirecting
368 buffered output from the invoked command can cause additional delays,
369 or even lost output data in case a logging subprocess exited with a
371 The command itself runs with
380 will close the pipe to the process.
381 If the process did not exit
382 voluntarily, it will be sent a
384 signal after a grace period of up to 60 seconds.
386 The command will only be started once data arrives that should be piped
388 If it exited later, it will be restarted as necessary.
390 is desired that the subprocess should get exactly one line of input only
391 (which can be very resource-consuming if there are a lot of messages
392 flowing quickly), this can be achieved by exiting after just one line of
394 If necessary, a script wrapper can be written to this effect.
396 Unless the command is a full pipeline, it is probably useful to
397 start the command with
399 so that the invoking shell process does not wait for the command to
401 Warning: the process is started under the UID invoking
403 normally the superuser.
406 Blank lines and lines whose first non-blank character is a hash
408 character are ignored.
411 is placed in the middle of the line, the
413 character and the rest of the line after it is ignored.
414 To prevent special meaning, the
416 character may be escaped with
418 in this case preceding
422 is treated as an ordinary character.
423 .Sh IMPLEMENTATION NOTES
426 facility is usually reserved for messages
427 generated by the local kernel.
428 Other messages logged with facility
430 are usually translated to facility
432 This translation can be disabled;
437 .Bl -tag -width /etc/syslog.conf -compact
438 .It Pa /etc/syslog.conf
443 A configuration file might appear as follows:
445 # Log all kernel messages, authentication messages of
446 # level notice or higher, and anything of level err or
447 # higher to the console.
448 # Don't log private authentication messages!
449 *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
451 # Log anything (except mail) of level info or higher.
452 # Don't log private authentication messages!
453 *.info;mail.none;authpriv.none /var/log/messages
455 # Log daemon messages at debug level only
456 daemon.=debug /var/log/daemon.debug
458 # The authpriv file has restricted access.
459 authpriv.* /var/log/secure
461 # Log all the mail messages in one place.
462 mail.* /var/log/maillog
464 # Everybody gets emergency messages, plus log them on another
467 *.emerg @arpa.berkeley.edu
469 # Root and Eric get alert and higher messages.
472 # Save mail and news errors of level err and higher in a
474 uucp,news.crit /var/log/spoolerr
476 # Pipe all authentication messages to a filter.
477 auth.* |exec /usr/local/sbin/authfilter
479 # Log all security messages to a separate file.
480 security.* /var/log/security
482 # Log all writes to /dev/console to a separate file.
483 console.* /var/log/console.log
485 # Save ftpd transactions along with mail and news
487 *.* /var/log/spoolerr
489 # Log ipfw messages without syncing after every message.
497 The effects of multiple
499 are sometimes not intuitive.
504 facility messages at the level of
506 or higher, not at the level of
510 In networked environments, note that not all operating systems
511 implement the same set of facilities.
513 authpriv, cron, ftp, and ntp that are known to this implementation
514 might be absent on the target system.
515 Even worse, DEC UNIX uses
516 facility number 10 (which is authpriv in this implementation) to
517 log events for their AdvFS file system.