1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 33.\" $FreeBSD: src/usr.sbin/syslogd/syslog.conf.5,v 1.16.2.11 2003/03/12 22:08:15 trhodes Exp $ 34.\" $DragonFly: src/usr.sbin/syslogd/syslog.conf.5,v 1.2 2003/06/17 04:30:03 dillon Exp $ 35.\" 36.Dd June 9, 1993 37.Dt SYSLOG.CONF 5 38.Os 39.Sh NAME 40.Nm syslog.conf 41.Nd 42.Xr syslogd 8 43configuration file 44.Sh DESCRIPTION 45The 46.Nm 47file is the configuration file for the 48.Xr syslogd 8 49program. 50It consists of 51blocks of lines separated by 52.Em program 53and 54.Em hostname 55specifications (separations appear along on the line), 56with each line containing two fields: the 57.Em selector 58field which specifies the types of messages and priorities to which the 59line applies, and an 60.Em action 61field which specifies the action to be taken if a message 62.Xr syslogd 8 63receives matches the selection criteria. 64The 65.Em selector 66field is separated from the 67.Em action 68field by one or more tab characters or spaces. 69.Pp 70Note that if you use spaces as separators, your 71.Nm 72might be incompatible with other Unices or Unix-like systems. 73This functionality was added for ease of configuration 74(e.g. it is possible to cut-and-paste into 75.Nm ) , 76and to avoid possible mistakes. 77This change however preserves 78backwards compatibility with the old style of 79.Nm 80(i.e. tab characters only). 81.Pp 82The 83.Em selectors 84are encoded as a 85.Em facility , 86a period 87.Pq Dq \&. , 88an optional set of comparison flags 89.Pq Oo \&! Oc Op <=> , 90and a 91.Em level , 92with no intervening white-space. 93Both the 94.Em facility 95and the 96.Em level 97are case insensitive. 98.Pp 99The 100.Em facility 101describes the part of the system generating the message, and is one of 102the following keywords: auth, authpriv, console, cron, daemon, ftp, kern, 103lpr, mail, mark, news, ntp, security, syslog, user, uucp and local0 through 104local7. 105These keywords (with the exception of mark) correspond to 106similar 107.Dq Dv LOG_ 108values specified to the 109.Xr openlog 3 110and 111.Xr syslog 3 112library routines. 113.Pp 114The 115.Em comparison flags 116may be used to specify exactly what is logged. 117The default comparison is 118.Dq => 119(or, if you prefer, 120.Dq >= ) , 121which means that messages from the specified 122.Em facility 123list, and of a priority 124level equal to or greater than 125.Em level 126will be logged. 127Comparison flags beginning with 128.Dq Li \&! 129will have their logical sense inverted. 130Thus 131.Dq !=info 132means all levels except info and 133.Dq !notice 134has the same meaning as 135.Dq <notice . 136.Pp 137The 138.Em level 139describes the severity of the message, and is a keyword from the 140following ordered list (higher to lower): emerg, alert, crit, err, 141warning, notice, info and debug. 142These keywords correspond to 143similar 144.Dq Dv LOG_ 145values specified to the 146.Xr syslog 3 147library routine. 148.Pp 149Each block of lines is separated from the previous block by a 150.Em program 151or 152.Em hostname 153specification. 154A block will only log messages corresponding to the most recent 155.Em program 156and 157.Em hostname 158specifications given. 159Thus, with a block which selects 160.Ql ppp 161as the 162.Em program , 163directly followed by a block that selects messages from the 164.Em hostname 165.Ql dialhost , 166the second block will only log messages 167from the 168.Xr ppp 8 169program on dialhost. 170.Pp 171A 172.Em program 173specification is a line beginning with 174.Ql #!prog 175or 176.Ql !prog 177(the former is for compatibility with the previous syslogd, if one is sharing 178.Nm 179files, for example) 180and the following blocks will be associated with calls to 181.Xr syslog 3 182from that specific program. 183A 184.Em program 185specification for 186.Ql foo 187will also match any message logged by the kernel with the prefix 188.Ql "foo: " . 189The 190.Ql #!+prog 191or 192.Ql !+prog 193specification works just like the previous one, 194and the 195.Ql #!-prog 196or 197.Ql !-prog 198specification will match any message but the ones from that 199program. 200A 201.Em hostname 202specification of the form 203.Ql #+hostname 204or 205.Ql +hostname 206means the following blocks will be applied to messages 207received from the specified hostname. 208Alternatively, the 209.Em hostname 210specification 211.Ql #-hostname 212or 213.Ql -hostname 214causes the following blocks to be applied to messages 215from any host but the one specified. 216If the hostname is given as 217.Ql @ , 218the local hostname will be used. 219A 220.Em program 221or 222.Em hostname 223specification may be reset by giving the program or hostname as 224.Ql * . 225.Pp 226See 227.Xr syslog 3 228for further descriptions of both the 229.Em facility 230and 231.Em level 232keywords and their significance. 233It's preferred that selections be made on 234.Em facility 235rather than 236.Em program , 237since the latter can easily vary in a networked environment. 238In some cases, 239though, an appropriate 240.Em facility 241simply doesn't exist. 242.Pp 243If a received message matches the specified 244.Em facility 245and is of the specified 246.Em level 247.Em (or a higher level) , 248and the first word in the message after the date matches the 249.Em program , 250the action specified in the 251.Em action 252field will be taken. 253.Pp 254Multiple 255.Em selectors 256may be specified for a single 257.Em action 258by separating them with semicolon 259.Pq Dq \&; 260characters. 261It is important to note, however, that each 262.Em selector 263can modify the ones preceding it. 264.Pp 265Multiple 266.Em facilities 267may be specified for a single 268.Em level 269by separating them with comma 270.Pq Dq \&, 271characters. 272.Pp 273An asterisk 274.Pq Dq * 275can be used to specify all 276.Em facilities , 277all 278.Em levels , 279or all 280.Em programs . 281.Pp 282The special 283.Em facility 284.Dq mark 285receives a message at priority 286.Dq info 287every 20 minutes 288(see 289.Xr syslogd 8 ) . 290This is not enabled by a 291.Em facility 292field containing an asterisk. 293.Pp 294The special 295.Em level 296.Dq none 297disables a particular 298.Em facility . 299.Pp 300The 301.Em action 302field of each line specifies the action to be taken when the 303.Em selector 304field selects a message. 305There are five forms: 306.Bl -bullet 307.It 308A pathname (beginning with a leading slash). 309Selected messages are appended to the file. 310.It 311A hostname (preceded by an at 312.Pq Dq @ 313sign). 314Selected messages are forwarded to the 315.Xr syslogd 8 316program on the named host. 317.It 318A comma separated list of users. 319Selected messages are written to those users 320if they are logged in. 321.It 322An asterisk. 323Selected messages are written to all logged-in users. 324.It 325A vertical bar 326.Pq Dq \&| , 327followed by a command to pipe the selected 328messages to. The command is passed to 329.Xr sh 1 330for evaluation, so usual shell metacharacters or input/output 331redirection can occur. (Note however that redirecting 332.Xr stdio 3 333buffered output from the invoked command can cause additional delays, 334or even lost output data in case a logging subprocess exited with a 335signal.) The command itself runs with 336.Em stdout 337and 338.Em stderr 339redirected to 340.Pa /dev/null . 341Upon receipt of a 342.Dv SIGHUP , 343.Xr syslogd 8 344will close the pipe to the process. If the process didn't exit 345voluntarily, it will be sent a 346.Dv SIGTERM 347signal after a grace period of up to 60 seconds. 348.Pp 349The command will only be started once data arrives that should be piped 350to it. If it exited later, it will be restarted as necessary. So if it 351is desired that the subprocess should get exactly one line of input only 352(which can be very resource-consuming if there are a lot of messages 353flowing quickly), this can be achieved by exiting after just one line of 354input. If necessary, a script wrapper can be written to this effect. 355.Pp 356Unless the command is a full pipeline, it's probably useful to 357start the command with 358.Em exec 359so that the invoking shell process does not wait for the command to 360complete. Warning: the process is started under the UID invoking 361.Xr syslogd 8 , 362normally the superuser. 363.El 364.Pp 365Blank lines and lines whose first non-blank character is a hash 366.Pq Dq # 367character are ignored. 368.Sh EXAMPLES 369A configuration file might appear as follows: 370.Bd -literal 371# Log all kernel messages, authentication messages of 372# level notice or higher, and anything of level err or 373# higher to the console. 374# Don't log private authentication messages! 375*.err;kern.*;auth.notice;authpriv.none /dev/console 376 377# Log anything (except mail) of level info or higher. 378# Don't log private authentication messages! 379*.info;mail.none;authpriv.none /var/log/messages 380 381# Log daemon messages at debug level only 382daemon.=debug /var/log/daemon.debug 383 384# The authpriv file has restricted access. 385authpriv.* /var/log/secure 386 387# Log all the mail messages in one place. 388mail.* /var/log/maillog 389 390# Everybody gets emergency messages, plus log them on another 391# machine. 392*.emerg * 393*.emerg @arpa.berkeley.edu 394 395# Root and Eric get alert and higher messages. 396*.alert root,eric 397 398# Save mail and news errors of level err and higher in a 399# special file. 400uucp,news.crit /var/log/spoolerr 401 402# Pipe all authentication messages to a filter. 403auth.* |exec /usr/local/sbin/authfilter 404 405# Save ftpd transactions along with mail and news 406!ftpd 407*.* /var/log/spoolerr 408 409# Log all security messages to a separate file. 410security.* /var/log/security 411 412# Log all writes to /dev/console to a separate file. 413console.* /var/log/console.log 414.Ed 415.Sh IMPLEMENTATION NOTES 416The 417.Dq kern 418facility is usually reserved for messages 419generated by the local kernel. 420Other messages logged with facility 421.Dq kern 422are usually translated to facility 423.Dq user . 424This translation can be disabled; 425see 426.Xr syslogd 8 427for details. 428.Sh FILES 429.Bl -tag -width /etc/syslog.conf -compact 430.It Pa /etc/syslog.conf 431.Xr syslogd 8 432configuration file 433.El 434.Sh BUGS 435The effects of multiple 436.Em selectors 437are sometimes not intuitive. 438For example 439.Dq mail.crit,*.err 440will select 441.Dq mail 442facility messages at the level of 443.Dq err 444or higher, not at the level of 445.Dq crit 446or higher. 447.Pp 448In networked environments, note that not all operating systems 449implement the same set of facilities. The facilities 450authpriv, cron, ftp, and ntp that are known to this implementation 451might be absent on the target system. Even worse, DEC UNIX uses 452facility number 10 (which is authpriv in this implementation) to 453log events for their AdvFS file system. 454.Sh SEE ALSO 455.Xr syslog 3 , 456.Xr syslogd 8 457