xref: /netbsd-src/usr.sbin/syslogd/syslog.conf.5 (revision d48f14661dda8638fee055ba15d35bdfb29b9fa8)

.\"	$NetBSD: syslog.conf.5,v 1.13 2004/11/19 18:48:43 wiz Exp $
.\"
.\" Copyright (c) 1990, 1991, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     from: @(#)syslog.conf.5	8.1 (Berkeley) 6/9/93
.\"
.Dd November 18, 2004
.Dt SYSLOG.CONF 5
.Os
.Sh NAME
.Nm syslog.conf
.Nd
.Xr syslogd 8
configuration file
.Sh DESCRIPTION
The
.Nm
file is the configuration file for the
.Xr syslogd 8
program.
It consists of blocks of lines separated by
.Em program
and
.Em hostname
specifications, with each line containing two fields: the
.Em selector
field which specifies the types of messages and priorities to which the
line applies, and an
.Em action
field which specifies the action to be taken if a message
.Xr syslogd 8
receives matches the selection criteria.
The
.Em selector
field is separated from the
.Em action
field by one or more tab characters.
.Pp
The
.Em Selectors
function
are encoded as a
.Em facility ,
a period
.Pq Sq \&. ,
an optional set of comparison flags
.Pq Bo ! Bc Bq \*[Lt]=\*[Gt] ,
and a
.Em level ,
with no intervening white-space.
Both the
.Em facility
and the
.Em level
are case insensitive.
.Pp
The
.Em facility
describes the part of the system generating the message, and is one of
the following keywords: auth, authpriv, cron, ftp, daemon, kern, lpr,
mail, mark, news, syslog, user, uucp and local0 through local7.
These keywords (with the exception of mark) correspond to the
similar
.Dq Dv LOG_
values specified to the
.Xr openlog 3
and
.Xr syslog 3
library routines.
.Pp
The
.Em comparison flags
may be used to specify exactly what levels are logged.
If unspecified, the default comparison is
.Sq \*[Gt]=
.Pq greater than or equal to ,
or, if the
.Fl U
option is passed to
.Xr syslogd 8 ,
.Sq =
.Pq equal to .
Comparison flags beginning with
.So ! Sc
will have their logical sense inverted.
Thus,
.Sq !=info
means all levels except info and
.Sq !notice
has the same meaning as
.Sq \*[Lt]notice .
.Pp
The
.Em level
describes the severity of the message, and is a keyword from the
following ordered list (higher to lower): emerg, alert, crit, err,
warning, notice, info and debug.
These keywords correspond to the
similar
.Pq Dv LOG_
values specified to the
.Xr syslog 3
library routine.
.Pp
Each block of lines is separated from the previous block by a
.Em program
or
.Em hostname
specification.
A block will only log messages corresponding to the most recent
.Em program
and
.Em hostname
specifications given.
Consider the case of a block that selects
.Ql pppd
as the
.Em program ,
directly followed by a block that selects messages from the
.Em hostname
.Ql dialhost .
The second block will log only messages from the
.Xr pppd 8
program from the host
.Sq dialhost .
.Pp
A
.Em program
specification of the form
.Ql #!+prog1,prog2
or
.Ql !+prog1,prog2
will cause subsequent blocks to be applied to messages logged by the
specified programs.
A
.Em program
specification of the form
.Ql #!-prog1,prog2
or
.Ql !-prog1,prog2
will cause subsequent blocks to be applied to messages logged by programs
other than the ones specified.
A
.Em program
specification of the form
.Ql #!prog1,prog2
or
.Ql !prog1,prog2
is equivalent to
.Ql !+prog1,prog2 .
Program selectors may also match kernel-generated messages.
For example, a program specification of
.Ql !+subsys
will match kernel-generated messages of the form
.Ql subsys: here is a message .
The special specification
.Ql !*
will cause subsequent blocks to apply to all programs.
.Pp
A
.Em hostname
specification of the form
.Ql #+host1,host2
or
.Ql +host1,host2
will cause subsequent blocks to be applied to messages received from
the specified hosts.
A
.Em hostname
specification of the form
.Ql #-host1,host2
or
.Ql -host1,host2
will cause subsequent blocks to be applied to messages from hosts other
than the ones specified.
If the hostname is given as
.Ql @ ,
the local hostname will be used.
The special specification
.Ql +*
will cause subsequent blocks to apply to all hosts.
.Pp
See
.Xr syslog 3
for a further descriptions of both the
.Em facility
and
.Em level
keywords and their significance.
It is preferred that selections be made based on
.Em facility
rather than
.Em program ,
since the latter can vary in a networked environment.
However, there are cases where a
.Em facility
may be too broadly defined.
.Pp
If a received message matches the specified
.Em facility ,
and the specified
.Em level
comparison is true,
and the first word in the message after the date matches the
.Em program ,
the action specified in the
.Em action
field will be taken.
.Pp
Multiple
.Em selectors
may be specified for a single
.Em action
by separating them with semicolon
.Pq Sq \&;
characters.
It is important to note, however, that each
.Em selector
can modify the ones preceding it.
.Pp
Multiple
.Em facilities
may be specified for a single
.Em level
by separating them with comma
.Pq Sq \&,
characters.
.Pp
An asterisk
.Pq Sq \&*
can be used to specify all
.Em facilities
or all
.Em levels .
.Pp
The special
.Em facility
.Dq mark
receives a message at priority
.Dq info
every 20 minutes
(see
.Xr syslogd 8 ) .
This is not enabled by a
.Em facility
field containing an asterisk.
.Pp
The special
.Em level
.Dq none
disables a particular
.Em facility .
.Pp
The
.Em action
field of each line specifies the action to be taken when the
.Em selector
field selects a message.
There are five forms:
.Bl -bullet
.It
A pathname (beginning with a leading slash).
Selected messages are appended to the file.
.Pp
To ensure that kernel messages are written to disk promptly,
.Xr syslogd 8
calls
.Xr fsync 2
after writing messages from the kernel.
Other messages are not synced explcitly.
You may disable syncing of files specified to receive kernel messages
by prefixing the pathname with a minus sign
.Ql - .
Note that use of this option may cause the loss of log information in
the event of a system crash immediately following the write attempt.
However, using this option may prove to be useful if your system's
kernel is logging many messages.
.It
A hostname (preceded by an at
.Pq Sq @
sign).
Selected messages are forwarded to the
.Xr syslogd 8
program on the named host.
.It
A comma separated list of users.
Selected messages are written to those users
if they are logged in.
.It
An asterisk.
Selected messages are written to all logged-in users.
.It
A vertical bar
.Pq Sq |
followed by a command to which to pipe the selected messages.
The command string is passed to
.Pa /bin/sh
for evaluation, so the usual shell metacharacters or input/output
redirection can occur.
(Note that redirecting
.Xr stdio 3
buffered output from the invoked command can cause additional delays,
or even lost output data in case a logging subprocess exits with a
signal.)
The command itself runs with
.Em stdout
and
.Em stderr
redirected to
.Pa /dev/null .
Upon receipt of a
.Dv SIGHUP ,
.Xr syslogd 8
will close the pipe to the process.
If the process does not exit voluntarily, it will be sent a
.Dv SIGTERM
signal after a grace period of up to 60 seconds.
.Pp
The command will only be started once data arrives that should be
piped to it.
If the command exits, it will be restarted as necessary.
.Pp
If it is desired that the subprocess should receive exactly one line of
input, this can be achieved by exiting after reading and processing the
single line.
A wrapper script can be used to achieve this effect, if necessary.
Note that this method can be very resource-intensive if many log messages
are being piped through the filter.
.Pp
Unless the command is a full pipeline, it may be useful to
start the command with
.Em exec
so that the invoking shell process does not wait for the command to
complete.
Note that the command is started with the UID of the
.Xr syslogd 8
process, normally the superuser.
.El
.Pp
Blank lines and lines whose first non-blank character is a hash
.Pq Sq #
character are ignored.
.Sh FILES
.Bl -tag -width /etc/syslog.conf -compact
.It Pa /etc/syslog.conf
The
.Xr syslogd 8
configuration file.
.El
.Sh EXAMPLES
A configuration file might appear as follows:
.Bd -literal
# Log all kernel messages, authentication messages of
# level notice or higher and anything of level err or
# higher to the console.
# Don't log private authentication messages!
*.err;kern.*;auth.notice;authpriv.none	/dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none		/var/log/messages

# Log daemon messages at debug level only
daemon.=debug				/var/log/daemon.debug

# The authpriv file has restricted access.
authpriv.*				/var/log/secure

# Log all the mail messages in one place.
mail.*					/var/log/maillog

# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg					*
*.emerg					@arpa.berkeley.edu

# Root and Eric get alert and higher messages.
*.alert					root,eric

# Save mail and news errors of level err and higher in a
# special file.
mail,news.err				/var/log/spoolerr

# Pipe all authentication messages to a filter.
auth.*					|exec /usr/local/sbin/authfilter

# Log kernel messages to a separate file without syncing each message.
kern.*					-/var/log/kernlog

# Save ftpd transactions along with mail and news.
!ftpd
*.*					/var/log/spoolerr

# Send all error messages from a RAID array through a filter.
!raid0
kern.err				|exec /usr/local/sbin/raidfilter

# Save pppd messages from dialhost to a separate file.
!pppd
+dialhost
*.*					/var/log/dialhost-pppd

# Save non-local log messages from all programs to a separate file.
!*
-@
*.*					/var/log/foreign
.Ed
.Sh SEE ALSO
.Xr syslog 3 ,
.Xr syslogd 8
.Sh HISTORY
The
.Nm
file appeared in
.Bx 4.3 ,
along with
.Xr syslogd 8 .
.Sh BUGS
The effects of multiple selectors are sometimes not intuitive.
For example
.Dq mail.crit;*.err
will select
.Dq mail
facility messages at
the level of
.Dq err
or higher, not at the level of
.Dq crit
or higher.