syslogd is a system service that provides error logging facility. Messages are read from the UNIX domain socket /dev/log, from an Internet domain socket specified in /etc/services, and from the special device /dev/klog (to read kernel messages).
syslogd creates the file /var/run/syslog.pid, and stores its process id there. This can be used to kill or reconfigure syslogd.
The message sent to syslogd should consist of a single line.
The message can contain a priority code, which should be a preceding
decimal number in angle braces, for example, <5>
. This
priority code should map into the priorities defined in the include
file sys/syslog.h
.
syslogd [options]...
syslogd reads its configuration file when it starts up and whenever it receives a hangup signal. The syslog.conf file is the configuration file for the syslogd program. It consists of lines with two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies the action to be taken if a message syslogd receives matches the selection criteria. The selector field is separated from the action field by one or more tab or space characters. A rule can be splitted in several lines if all lines except the last are terminated with a backslash ‘\’.
The Selectors function are encoded as a facility, a period (‘.’), and a level, with no intervening white-space. Both the facility and the level are case insensitive.
The facility describes the part of the system generating the message, and is one of the following keywords: ‘auth’, ‘authpriv’, ‘cron’, ‘daemon’, ‘kern’, ‘lpr’, ‘mail’, ‘mark’, ‘news’, ‘syslog’, ‘user’, ‘uucp’ and ‘local0’ through ‘local7’. These keywords (with the exception of ‘mark’) correspond to the similar ‘LOG_’ values specified to the ‘openlog’ and ‘syslog’ library routines. See Syslog, for details.
The level describes the severity of the message, and is a keyword from the following ordered list (higher to lower): ‘emerg’, ‘alert’, ‘crit’, ‘err, warning’, ‘notice’ and ‘debug’. These keywords correspond to the similar ‘LOG_’ values specified to the syslog library routine.
See syslog and vsyslog, for a further descriptions of both the facility and level keywords and their significance.
If a received message matches the specified facility and is of the specified level (or a higher level), the action specified in the action field will be taken.
Multiple selectors may be specified for a single action by separating them with semicolon (‘;’) characters. It is important to note, however, that each selector can modify the ones preceding it.
Multiple facilities may be specified for a single level by separating them with comma (‘,’) characters.
An asterisk (‘*’) can be used to specify all facilities or all levels. Two asterisks (‘**’) specifie all facilities not named previously in the configuration file.
By default, a level applies to all messages with the same or higher level. The equal (‘=’) character can be prepended to a level to restrict this line of the configuration file to messages with the very same level.
An exclamation mark (‘!’) prepended to a level or the asterisk means that this line of the configuration file does not apply to the specified level (and higher ones). In conjunction with the equal sign, you can exclude single levels as well.
The special facility ‘mark’ receives a message at priority ‘info’ every 20 minutes. This is not enabled by a facility field containing an asterisk.
The special level ‘none’ disables a particular facility.
The action field of each line specifies the action to be taken when the selector field selects a message. There are five forms:
You may prepend a minus (‘-’) to the path to omit syncing the file after each message log. This can cause data loss at system crashes, but increases performance for programs which use logging extensively.
Blank lines and lines whose first non-blank character is a hash (‘#’) character are ignored.
A configuration file might appear as follows:
# Log all kernel messages, authentication messages of # level notice or higher and anything of level err or # higher to the console. # Don't log private authentication messages! *.err;kern.*;auth.notice;authpriv.none /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Everybody gets emergency messages, plus log them on another # machine. *.emerg * *.emerg @arpa.berkeley.edu # Root and Eric get alert and higher messages. *.alert root,eric # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spoolerr
The effects of multiple selectors are sometimes not intuitive. For example ‘mail.crit,*.err’ will select the ‘mail’ facility messages at the level of ‘err’ or higher, not at the level of ‘crit’ or higher.