1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" from: @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $OpenBSD: syslog.conf.5,v 1.24 2014/01/20 05:07:48 schwarze Exp $ 30.\" $NetBSD: syslog.conf.5,v 1.4 1996/01/02 17:41:46 perry Exp $ 31.\" 32.Dd $Mdocdate: January 20 2014 $ 33.Dt SYSLOG.CONF 5 34.Os 35.Sh NAME 36.Nm syslog.conf 37.Nd 38.Xr syslogd 8 39configuration file 40.Sh DESCRIPTION 41The 42.Nm syslog.conf 43file is the configuration file for the 44.Xr syslogd 8 45program. 46It consists of blocks of lines separated by 47.Em program 48specifications, with each line containing two fields: the 49.Em selector 50field which specifies the types of messages and priorities to which the 51line applies, and an 52.Em action 53field which specifies the action to be taken if a message 54.Xr syslogd 8 55receives matches the selection criteria. 56The 57.Em selector 58field is separated from the 59.Em action 60field by one or more tab characters. 61.Pp 62The 63.Em selectors 64are encoded as a 65.Em facility , 66a period 67.Pq Ql \&. , 68and a 69.Em level , 70with no intervening whitespace. 71Both the 72.Em facility 73and the 74.Em level 75are case insensitive. 76.Pp 77The 78.Em facility 79describes the part of the system generating the message, and is one of 80the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, 81mark, news, syslog, user, uucp and local0 through local7. 82These keywords (with the exception of mark) correspond to the 83similar 84.Dq Dv LOG_ 85values specified to the 86.Xr openlog 3 87and 88.Xr syslog 3 89library routines. 90.Pp 91The 92.Em level 93describes the severity of the message, and is a keyword from the 94following ordered list (highest to lowest): emerg, alert, crit, err, 95warning, notice, info and debug. 96These keywords correspond to the 97similar 98.Pq Dv LOG_ 99values specified to the 100.Xr syslog 3 101library routine. 102.Pp 103Each block of lines is separated from the previous block by a tag. 104The tag is a line beginning with 105.Em !prog 106and each block will be associated with calls to syslog from that specific 107program. 108When a message matches multiple blocks, the action of each matching 109block is taken. 110If no tag is specified at the beginning of the file, 111every line is checked for a match and acted upon 112.Pq at least until a tag is found . 113.Pp 114.Em !!prog 115causes the subsequent block to abort evaluation when a message matches, 116ensuring that only a single set of actions is taken. 117.Em !*\& 118can be used to ensure that any ensuing blocks are further evaluated 119(i.e. cancelling the effect of a 120.Em !prog 121or 122.Em !!prog ) . 123.Pp 124See 125.Xr syslog 3 126for further descriptions of both the 127.Em facility 128and 129.Em level 130keywords and their significance. 131It's recommended that selections be made on 132.Em facility 133rather than 134.Em program , 135since the latter can easily vary in a networked environment. 136In some cases, though, an appropriate 137.Em facility 138simply doesn't exist. 139.Pp 140If a received message matches the specified 141.Em facility 142and is of the specified 143.Em level 144.Pq Em or a higher level , 145and the first word in the message after the date matches the 146.Em program , 147the action specified in the 148.Em action 149field will be taken. 150.Pp 151Multiple 152.Em selectors 153may be specified for a single 154.Em action 155by separating them with semicolon 156.Pq Ql \&; 157characters. 158It is important to note, however, that each 159.Em selector 160can modify the ones preceding it. 161.Pp 162Multiple 163.Em facilities 164may be specified for a single 165.Em level 166by separating them with comma 167.Pq Ql \&, 168characters. 169.Pp 170An asterisk 171.Pq Ql * 172can be used to specify all 173.Em facilities , 174all 175.Em levels 176or all 177.Em programs . 178.Pp 179The special 180.Em facility 181.Dq mark 182receives a message at priority 183.Dq info 184every 20 minutes (see 185.Xr syslogd 8 ) . 186This is not enabled by a 187.Em facility 188field containing an asterisk. 189.Pp 190The special 191.Em level 192.Dq none 193disables a particular 194.Em facility . 195.Pp 196The 197.Em action 198field of each line specifies the action to be taken when the 199.Em selector 200field selects a message. 201There are six forms: 202.Bl -bullet 203.It 204A pathname (beginning with a leading slash). 205Selected messages are appended to the file. 206.It 207A pipe to another program (beginning with a leading pipe symbol). 208The given program is started and presented the selected messages 209on its standard input. 210If the program exits, 211.Xr syslogd 8 212tries to restart it. 213.It 214A hostname (preceded by an at 215.Pq Ql @ 216sign). 217Selected messages are forwarded to the 218.Xr syslogd 8 219program on the named host. 220A port number may be optionally specified using the 221.Ar host:port 222syntax. 223.It 224A comma separated list of users. 225Selected messages are written to those users 226if they are logged in. 227.It 228An asterisk. 229Selected messages are written to all logged-in users. 230.It 231A colon, followed by a memory buffer size 232.Pq in kilobytes , 233followed by another colon, followed by a buffer name. 234Selected messages are written to an in-memory buffer that may be read using 235.Xr syslogc 8 . 236Memory buffered logging is useful to provide access to log data on devices 237that lack local storage (e.g. diskless workstations or routers). 238The largest allowed buffer size is 256kb. 239.El 240.Pp 241Blank lines and lines whose first non-blank character is a hash 242.Pq Ql # 243character are ignored. 244.Sh FILES 245.Bl -tag -width /etc/syslog.conf -compact 246.It Pa /etc/syslog.conf 247The 248.Xr syslogd 8 249configuration file. 250.El 251.Sh EXAMPLES 252A configuration file might appear as follows: 253.Bd -literal 254# Log info (and higher) messages from spamd only to 255# a dedicated file, discarding debug messages. 256# Matching messages abort evaluation of further rules. 257!!spamd 258daemon.info /var/log/spamd 259daemon.debug /dev/null 260!* 261 262# Log all kernel messages, authentication messages of 263# level notice or higher and anything of level err or 264# higher to the console. 265# Don't log private authentication messages! 266*.err;kern.*;auth.notice;authpriv.none /dev/console 267 268# Log anything (except mail) of level info or higher. 269# Don't log private authentication messages! 270*.info;mail.none;authpriv.none /var/log/messages 271 272# The authpriv file has restricted access. 273authpriv.* /var/log/secure 274 275# Log all the mail messages in one place. 276mail.* /var/log/maillog 277 278# Everybody gets emergency messages, plus log them on another 279# machine. 280*.emerg * 281*.emerg @arpa.berkeley.edu 282 283# Root and Eric get alert and higher messages. 284*.alert root,eric 285 286# Save mail and news errors of level err and higher in a 287# special file. 288mail,news.err /var/log/spoolerr 289 290# Save ftpd transactions along with mail and news 291!ftpd 292*.* /var/log/spoolerr 293 294# Keep a copy of all logging in a 32k memory buffer named "debug" 295*.debug :32:debug 296 297# Store notices and authpriv messages in a 64k buffer named "important" 298*.notice,authpriv.* :64:important 299 300# feed everything to logsurfer 301*.* |/usr/local/sbin/logsurfer 302.Ed 303.Sh SEE ALSO 304.Xr syslog 3 , 305.Xr syslogc 8 , 306.Xr syslogd 8 307.Sh HISTORY 308The 309.Nm 310file appeared in 311.Bx 4.3 , 312along with 313.Xr syslogd 8 . 314.Sh BUGS 315The effects of multiple selectors are sometimes not intuitive. 316For example 317.Dq mail.crit;*.err 318will select 319.Dq mail 320facility messages at the level of 321.Dq err 322or higher, not at the level of 323.Dq crit 324or higher. 325