1.\" $OpenBSD: syslogd.8,v 1.52 2016/10/17 11:19:55 bluhm Exp $ 2.\" 3.\" Copyright (c) 1983, 1986, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93 31.\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $ 32.\" 33.Dd $Mdocdate: October 17 2016 $ 34.Dt SYSLOGD 8 35.Os 36.Sh NAME 37.Nm syslogd 38.Nd log system messages 39.Sh SYNOPSIS 40.Nm syslogd 41.Bk -words 42.Op Fl 46dFhnuVZ 43.Op Fl a Ar path 44.Op Fl C Ar CAfile 45.Op Fl c Ar cert_file 46.Op Fl f Ar config_file 47.Op Fl K Ar CAfile 48.Op Fl k Ar key_file 49.Op Fl m Ar mark_interval 50.Op Fl p Ar log_socket 51.Op Fl S Ar listen_address 52.Op Fl s Ar reporting_socket 53.Op Fl T Ar listen_address 54.Op Fl U Ar bind_address 55.Ek 56.Sh DESCRIPTION 57.Nm 58writes system messages to log files or a user's terminal. 59Output can be sent to other programs 60for further processing. 61It can also securely send and receive log messages 62to and from remote hosts. 63.Pp 64The options are as follows: 65.Bl -tag -width Ds 66.It Fl 4 67Forces 68.Nm 69to use only IPv4 addresses for UDP. 70.It Fl 6 71Forces 72.Nm 73to use only IPv6 addresses for UDP. 74.It Fl a Ar path 75Specify a location where 76.Nm 77should place an additional log socket. 78The primary use for this is to place additional log sockets in 79.Pa /dev/log 80of various chroot filespaces, though the need for these is 81less urgent after the introduction of 82.Xr sendsyslog 2 . 83.It Fl C Ar CAfile 84PEM encoded file containing CA certificates used for certificate 85validation of a remote loghost; 86the default is 87.Pa /etc/ssl/cert.pem . 88.It Fl c Ar cert_file 89PEM encoded file containing the client certificate for TLS connections 90to a remote host. 91The default is not to use a client certificate for the connection 92to a syslog server. 93This option has to be used together with 94.Fl k Ar key_file . 95.It Fl d 96Enable debugging to the standard output, 97and do not disassociate from the controlling terminal. 98.It Fl F 99Run in the foreground instead of disassociating from the controlling 100terminal and running as a background daemon. 101.It Fl f Ar config_file 102Specify the pathname of an alternate configuration file; 103the default is 104.Pa /etc/syslog.conf . 105.It Fl h 106Include the hostname when forwarding messages to a remote host. 107.It Fl K Ar CAfile 108PEM encoded file containing CA certificates used for client certificate 109validation on the local server socket. 110By default incoming connections from any TLS server are allowed. 111.It Fl k Ar key_file 112PEM encoded file containing the client private key for TLS connections 113to a remote host. 114This option has to be used together with 115.Fl c Ar cert_file . 116.It Fl m Ar mark_interval 117Select the number of minutes between 118.Dq mark 119messages; the default is 20 minutes. 120.It Fl n 121Print source addresses numerically rather than symbolically. 122This saves an address-to-name lookup for each incoming message, 123which can be useful when combined with the 124.Fl u 125option on a loghost with no DNS cache. 126Messages from the local host will still be logged with 127the symbolic local host name. 128.It Fl p Ar log_socket 129Specify the pathname of an alternate log socket to be used instead; 130the default is 131.Pa /dev/log . 132.It Fl S Ar listen_address 133Create a TLS listen socket for receiving encrypted messages and 134bind it to the specified address. 135A port number may be specified using the 136.Ar host : Ns Ar port 137syntax. 138The parameter is also used to find a suitable server key and 139certificate in 140.Pa /etc/ssl/ . 141.It Fl s Ar reporting_socket 142Specify path to an 143.Dv AF_LOCAL 144socket for use in reporting logs stored in memory buffers using 145.Xr syslogc 8 . 146.It Fl T Ar listen_address 147Create a TCP listen socket for receiving messages and bind it to 148the specified address. 149There is no well-known port for syslog over TCP, so a port number 150must be specified using the 151.Ar host : Ns Ar port 152syntax. 153.It Fl U Ar bind_address 154Create a UDP socket for receiving messages and bind it to the 155specified address. 156This can be used, for example, with a pf divert-to rule to receive 157packets when syslogd is bound to localhost. 158A port number may be specified using the 159.Ar host : Ns Ar port 160syntax. 161.It Fl u 162Select the historical 163.Dq insecure 164mode, in which syslogd will 165accept input from the UDP port. 166Some software wants this, but you can be subjected to a variety of 167attacks over the network, including attackers remotely filling logs. 168.It Fl V 169Do not perform remote server certificate and hostname validation 170when sending messages. 171.It Fl Z 172Generate timestamps in ISO format. 173This includes the year and the timezone, and all logging is done 174in UTC. 175.El 176.Pp 177.Nm 178reads its configuration file, 179.Xr syslog.conf 5 , 180when it starts up and whenever it 181receives a hangup signal. 182It creates the file 183.Pa /var/run/syslog.pid 184and stores its process ID there. 185The PID can be used to kill or reconfigure 186.Nm . 187.Pp 188.Nm 189opens a UDP socket, as specified 190in 191.Pa /etc/services , 192for sending forwarded messages. 193By default all incoming data on this socket is discarded. 194If insecure mode is switched on with 195.Fl u , 196it will also read messages from the socket. 197.Nm 198also opens and reads messages from the 199.Ux Ns -domain 200socket 201.Pa /dev/log , 202and from the special device 203.Pa /dev/klog 204(to read kernel messages), 205and from 206.Xr sendsyslog 2 207(to read messages from userland processes). 208.Pp 209The message sent to 210.Nm 211should consist of a single line. 212The message can contain a priority code, which should be a preceding 213decimal number in angle braces, for example, 214.Dq <5> . 215This priority code should map into the priorities defined in the 216include file 217.In sys/syslog.h . 218.Pp 219When sending syslog messages to a remote loghost via TLS, the 220server's certificate and hostname are validated to prevent malicious 221servers from reading messages. 222If the server has a certificate with a matching hostname signed by 223a CA in 224.Pa /etc/ssl/cert.pem , 225it is verified with that by default. 226If the server has a certificate with a matching hostname signed by 227a private CA, use the 228.Fl C 229option and put that CA into 230.Ar CAfile . 231Validation can be explicitly turned off using the 232.Fl V 233option. 234If the server is accepting messages only from clients with a trusted 235client certificate, use the 236.Fl k 237and 238.Fl c 239options to authenticate 240.Nm 241with this certificate. 242.Pp 243When receiving syslog messages from a TLS client, there must be 244a server key and certificate in 245.Pa /etc/ssl/private/host Ns Oo : Ns Ar port Oc Ns Ar .key 246and 247.Pa /etc/ssl/host Ns Oo : Ns Ar port Oc Ns Ar .crt . 248If the client uses certificates to authenticate, the CA of the 249client's certificate may be added to 250.Ar CAfile 251using the 252.Fl K 253option to protect from messages being spoofed by malicious clients. 254.Sh FILES 255.Bl -tag -width /var/run/syslog.pid -compact 256.It Pa /dev/log 257Name of the 258.Ux Ns -domain 259datagram log socket. 260.It Pa /dev/klog 261Kernel log device. 262.It Pa /etc/ssl/ 263Private keys and public certificates. 264.It Pa /etc/syslog.conf 265Configuration file. 266.It Pa /var/run/syslog.pid 267Process ID of current 268.Nm . 269.El 270.Sh SEE ALSO 271.Xr logger 1 , 272.Xr syslog 3 , 273.Xr services 5 , 274.Xr syslog.conf 5 , 275.Xr newsyslog 8 , 276.Xr syslogc 8 277.Sh HISTORY 278The 279.Nm 280command appeared in 281.Bx 4.3 . 282.Sh CAVEATS 283.Nm 284does not create files, 285it only logs to existing ones. 286