1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgement: 14.\" This product includes software developed by the University of 15.\" California, Berkeley and its contributors. 16.\" 4. Neither the name of the University nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 33.\" $FreeBSD: src/usr.sbin/syslogd/syslog.conf.5,v 1.35 2004/07/03 18:35:53 ru Exp $ 34.\" $DragonFly: src/usr.sbin/syslogd/syslog.conf.5,v 1.9 2007/07/30 22:11:34 swildner Exp $ 35.\" 36.Dd June 9, 1993 37.Dt SYSLOG.CONF 5 38.Os 39.Sh NAME 40.Nm syslog.conf 41.Nd 42.Xr syslogd 8 43configuration file 44.Sh DESCRIPTION 45The 46.Nm 47file is the configuration file for the 48.Xr syslogd 8 49program. 50It consists of 51blocks of lines separated by 52.Em program 53and 54.Em hostname 55specifications (separations appear along on the line), 56with each line containing two fields: the 57.Em selector 58field which specifies the types of messages and priorities to which the 59line applies, and an 60.Em action 61field which specifies the action to be taken if a message 62.Xr syslogd 8 63receives matches the selection criteria. 64The 65.Em selector 66field is separated from the 67.Em action 68field by one or more tab characters or spaces. 69.Pp 70Note that if you use spaces as separators, your 71.Nm 72might be incompatible with other Unices or Unix-like systems. 73This functionality was added for ease of configuration 74(e.g.\& it is possible to cut-and-paste into 75.Nm ) , 76and to avoid possible mistakes. 77This change however preserves 78backwards compatibility with the old style of 79.Nm 80(i.e., tab characters only). 81.Pp 82The 83.Em selectors 84are encoded as a 85.Em facility , 86a period 87.Pq Dq \&. , 88an optional set of comparison flags 89.Pq Oo \&! Oc Op <=> , 90and a 91.Em level , 92with no intervening white-space. 93Both the 94.Em facility 95and the 96.Em level 97are case insensitive. 98.Pp 99The 100.Em facility 101describes the part of the system generating the message, and is one of 102the following keywords: auth, authpriv, console, cron, daemon, ftp, kern, 103lpr, mail, mark, news, ntp, security, syslog, user, uucp and local0 through 104local7. 105These keywords (with the exception of mark) correspond to 106similar 107.Dq Dv LOG_ 108values specified to the 109.Xr openlog 3 110and 111.Xr syslog 3 112library routines. 113.Pp 114The 115.Em comparison flags 116may be used to specify exactly what is logged. 117The default comparison is 118.Dq => 119(or, if you prefer, 120.Dq >= ) , 121which means that messages from the specified 122.Em facility 123list, and of a priority 124level equal to or greater than 125.Em level 126will be logged. 127Comparison flags beginning with 128.Dq Li \&! 129will have their logical sense inverted. 130Thus 131.Dq !=info 132means all levels except info and 133.Dq !notice 134has the same meaning as 135.Dq <notice . 136.Pp 137The 138.Em level 139describes the severity of the message, and is a keyword from the 140following ordered list (higher to lower): emerg, alert, crit, err, 141warning, notice, info and debug. 142These keywords correspond to 143similar 144.Dq Dv LOG_ 145values specified to the 146.Xr syslog 3 147library routine. 148.Pp 149Each block of lines is separated from the previous block by a 150.Em program 151or 152.Em hostname 153specification. 154A block will only log messages corresponding to the most recent 155.Em program 156and 157.Em hostname 158specifications given. 159Thus, with a block which selects 160.Ql ppp 161as the 162.Em program , 163directly followed by a block that selects messages from the 164.Em hostname 165.Ql dialhost , 166the second block will only log messages 167from the 168.Xr ppp 8 169program on dialhost. 170.Pp 171A 172.Em program 173specification is a line beginning with 174.Ql #!prog 175or 176.Ql !prog 177(the former is for compatibility with the previous syslogd, if one is sharing 178.Nm 179files, for example) 180and the following blocks will be associated with calls to 181.Xr syslog 3 182from that specific program. 183A 184.Em program 185specification for 186.Ql foo 187will also match any message logged by the kernel with the prefix 188.Ql "foo: " . 189The 190.Ql #!+prog 191or 192.Ql !+prog 193specification works just like the previous one, 194and the 195.Ql #!-prog 196or 197.Ql !-prog 198specification will match any message but the ones from that 199program. 200Multiple programs may be listed, separated by commas: 201.Ql !prog1,prog2 202matches messages from either program, while 203.Ql !-prog1,prog2 204matches all messages but those from 205.Ql prog1 206or 207.Ql prog2 . 208.Pp 209A 210.Em hostname 211specification of the form 212.Ql #+hostname 213or 214.Ql +hostname 215means the following blocks will be applied to messages 216received from the specified hostname. 217Alternatively, the 218.Em hostname 219specification 220.Ql #-hostname 221or 222.Ql -hostname 223causes the following blocks to be applied to messages 224from any host but the one specified. 225If the hostname is given as 226.Ql @ , 227the local hostname will be used. 228As for program specifications, multiple comma-separated 229values may be specified for hostname specifications. 230.Pp 231A 232.Em program 233or 234.Em hostname 235specification may be reset by giving the program or hostname as 236.Ql * . 237.Pp 238See 239.Xr syslog 3 240for further descriptions of both the 241.Em facility 242and 243.Em level 244keywords and their significance. 245It's preferred that selections be made on 246.Em facility 247rather than 248.Em program , 249since the latter can easily vary in a networked environment. 250In some cases, 251though, an appropriate 252.Em facility 253simply doesn't exist. 254.Pp 255If a received message matches the specified 256.Em facility 257and is of the specified 258.Em level 259.Em (or a higher level) , 260and the first word in the message after the date matches the 261.Em program , 262the action specified in the 263.Em action 264field will be taken. 265.Pp 266Multiple 267.Em selectors 268may be specified for a single 269.Em action 270by separating them with semicolon 271.Pq Dq \&; 272characters. 273It is important to note, however, that each 274.Em selector 275can modify the ones preceding it. 276.Pp 277Multiple 278.Em facilities 279may be specified for a single 280.Em level 281by separating them with comma 282.Pq Dq \&, 283characters. 284.Pp 285An asterisk 286.Pq Dq * 287can be used to specify all 288.Em facilities , 289all 290.Em levels , 291or all 292.Em programs . 293.Pp 294The special 295.Em facility 296.Dq mark 297receives a message at priority 298.Dq info 299every 20 minutes 300(see 301.Xr syslogd 8 ) . 302This is not enabled by a 303.Em facility 304field containing an asterisk. 305.Pp 306The special 307.Em level 308.Dq none 309disables a particular 310.Em facility . 311.Pp 312The 313.Em action 314field of each line specifies the action to be taken when the 315.Em selector 316field selects a message. 317There are five forms: 318.Bl -bullet 319.It 320A pathname (beginning with a leading slash). 321Selected messages are appended to the file. 322.Pp 323To ensure that kernel messages are written to disk promptly, 324.Nm 325calls 326.Xr fsync 2 327after writing messages from the kernel. 328Other messages are not synced explicitly. 329You may prefix a pathname with the minus sign, 330.Dq - , 331to forego syncing the specified file after every kernel message. 332Note that you might lose information if the system crashes 333immediately following a write attempt. 334Nevertheless, using the 335.Dq - 336option may improve performance, 337especially if the kernel is logging many messages. 338.It 339A hostname (preceded by an at 340.Pq Dq @ 341sign). 342Selected messages are forwarded to the 343.Xr syslogd 8 344program on the named host. 345.It 346A comma separated list of users. 347Selected messages are written to those users 348if they are logged in. 349.It 350An asterisk. 351Selected messages are written to all logged-in users. 352.It 353A percent sign 354.Pq Dq \&% , 355followed by a pathname (beginning with a leading slash). Selected messages 356are written to a circular log file. 357See 358.Xr clog 8 359for a discussion of circular log files. 360.It 361A vertical bar 362.Pq Dq \&| , 363followed by a command to pipe the selected 364messages to. 365The command is passed to 366.Xr sh 1 367for evaluation, so usual shell metacharacters or input/output 368redirection can occur. 369(Note however that redirecting 370.Xr stdio 3 371buffered output from the invoked command can cause additional delays, 372or even lost output data in case a logging subprocess exited with a 373signal.) 374The command itself runs with 375.Em stdout 376and 377.Em stderr 378redirected to 379.Pa /dev/null . 380Upon receipt of a 381.Dv SIGHUP , 382.Xr syslogd 8 383will close the pipe to the process. 384If the process didn't exit 385voluntarily, it will be sent a 386.Dv SIGTERM 387signal after a grace period of up to 60 seconds. 388.Pp 389The command will only be started once data arrives that should be piped 390to it. 391If it exited later, it will be restarted as necessary. 392So if it 393is desired that the subprocess should get exactly one line of input only 394(which can be very resource-consuming if there are a lot of messages 395flowing quickly), this can be achieved by exiting after just one line of 396input. 397If necessary, a script wrapper can be written to this effect. 398.Pp 399Unless the command is a full pipeline, it's probably useful to 400start the command with 401.Em exec 402so that the invoking shell process does not wait for the command to 403complete. 404Warning: the process is started under the UID invoking 405.Xr syslogd 8 , 406normally the superuser. 407.El 408.Pp 409Blank lines and lines whose first non-blank character is a hash 410.Pq Dq # 411character are ignored. 412.Sh IMPLEMENTATION NOTES 413The 414.Dq kern 415facility is usually reserved for messages 416generated by the local kernel. 417Other messages logged with facility 418.Dq kern 419are usually translated to facility 420.Dq user . 421This translation can be disabled; 422see 423.Xr syslogd 8 424for details. 425.Sh FILES 426.Bl -tag -width /etc/syslog.conf -compact 427.It Pa /etc/syslog.conf 428.Xr syslogd 8 429configuration file 430.El 431.Sh EXAMPLES 432A configuration file might appear as follows: 433.Bd -literal 434# Log all kernel messages, authentication messages of 435# level notice or higher, and anything of level err or 436# higher to the console. 437# Don't log private authentication messages! 438*.err;kern.*;auth.notice;authpriv.none /dev/console 439 440# Log anything (except mail) of level info or higher. 441# Don't log private authentication messages! 442*.info;mail.none;authpriv.none /var/log/messages 443 444# Log daemon messages at debug level only 445daemon.=debug /var/log/daemon.debug 446 447# The authpriv file has restricted access. 448authpriv.* /var/log/secure 449 450# Log all the mail messages in one place. 451mail.* /var/log/maillog 452 453# Everybody gets emergency messages, plus log them on another 454# machine. 455*.emerg * 456*.emerg @arpa.berkeley.edu 457 458# Root and Eric get alert and higher messages. 459*.alert root,eric 460 461# Save mail and news errors of level err and higher in a 462# special file. 463uucp,news.crit /var/log/spoolerr 464 465# Pipe all authentication messages to a filter. 466auth.* |exec /usr/local/sbin/authfilter 467 468# Save ftpd transactions along with mail and news 469!ftpd 470*.* /var/log/spoolerr 471 472# Log all security messages to a separate file. 473security.* /var/log/security 474 475# Log all writes to /dev/console to a separate file. 476console.* /var/log/console.log 477 478# Log ipfw messages without syncing after every message. 479!ipfw 480*.* -/var/log/ipfw 481.Ed 482.Sh SEE ALSO 483.Xr syslog 3 , 484.Xr syslogd 8 485.Sh BUGS 486The effects of multiple 487.Em selectors 488are sometimes not intuitive. 489For example 490.Dq mail.crit,*.err 491will select 492.Dq mail 493facility messages at the level of 494.Dq err 495or higher, not at the level of 496.Dq crit 497or higher. 498.Pp 499In networked environments, note that not all operating systems 500implement the same set of facilities. 501The facilities 502authpriv, cron, ftp, and ntp that are known to this implementation 503might be absent on the target system. 504Even worse, DEC 505.Ux 506uses facility number 10 (which is authpriv in this implementation) to 507log events for their AdvFS file system. 508