1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" from: @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $OpenBSD: syslog.conf.5,v 1.34 2016/07/06 19:29:13 millert Exp $ 30.\" $NetBSD: syslog.conf.5,v 1.4 1996/01/02 17:41:46 perry Exp $ 31.\" 32.Dd $Mdocdate: July 6 2016 $ 33.Dt SYSLOG.CONF 5 34.Os 35.Sh NAME 36.Nm syslog.conf 37.Nd syslogd(8) configuration file 38.Sh DESCRIPTION 39The 40.Nm syslog.conf 41file is the configuration file for the 42.Xr syslogd 8 43program. 44It consists of blocks of lines separated by 45.Em program 46specifications, with each line containing two fields: the 47.Em selector 48field which specifies the types of messages and priorities to which the 49line applies, and an 50.Em action 51field which specifies the action to be taken if a message 52.Xr syslogd 8 53receives matches the selection criteria. 54The 55.Em selector 56field is separated from the 57.Em action 58field by one or more tab or space characters. 59.Pp 60The 61.Em selectors 62are encoded as a 63.Em facility , 64a period 65.Pq Ql \&. , 66and a 67.Em level , 68with no intervening whitespace. 69Both the 70.Em facility 71and the 72.Em level 73are case insensitive. 74.Pp 75The 76.Em facility 77describes the part of the system generating the message, and is one of 78the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, 79mark, news, syslog, user, uucp and local0 through local7. 80These keywords (with the exception of mark) correspond to the 81similar 82.Dq Dv LOG_ 83values specified to the 84.Xr openlog 3 85and 86.Xr syslog 3 87library routines. 88.Pp 89The 90.Em level 91describes the severity of the message, and is a keyword from the 92following ordered list (highest to lowest): emerg, alert, crit, err, 93warning, notice, info and debug. 94These keywords correspond to the 95similar 96.Pq Dv LOG_ 97values specified to the 98.Xr syslog 3 99library routine. 100.Pp 101Each block of lines is separated from the previous block by a tag. 102The tag is a line beginning with 103.Em !prog 104and each block will be associated with calls to syslog from that specific 105program. 106When a message matches multiple blocks, the action of each matching 107block is taken. 108If no tag is specified at the beginning of the file, 109every line is checked for a match and acted upon 110.Pq at least until a tag is found . 111.Pp 112.Em !!prog 113causes the subsequent block to abort evaluation when a message matches, 114ensuring that only a single set of actions is taken. 115.Em !*\& 116can be used to ensure that any ensuing blocks are further evaluated 117(i.e. cancelling the effect of a 118.Em !prog 119or 120.Em !!prog ) . 121.Pp 122Blocks starting with 123.Em +host 124or 125.Em ++host 126or 127.Em +* 128work the same way as their 129.Em prog 130counterparts, but they match on the hostname instead of the program 131name. 132.Pp 133See 134.Xr syslog 3 135for further descriptions of both the 136.Em facility 137and 138.Em level 139keywords and their significance. 140It's recommended that selections be made on 141.Em facility 142rather than 143.Em program , 144since the latter can easily vary in a networked environment. 145In some cases, though, an appropriate 146.Em facility 147simply doesn't exist. 148.Pp 149If a received message matches the specified 150.Em facility 151and is of the specified 152.Em level 153.Pq Em or a higher level , 154and the first word in the message after the date matches the 155.Em program , 156the action specified in the 157.Em action 158field will be taken. 159.Pp 160Multiple 161.Em selectors 162may be specified for a single 163.Em action 164by separating them with semicolon 165.Pq Ql \&; 166characters. 167It is important to note, however, that each 168.Em selector 169can modify the ones preceding it. 170.Pp 171Multiple 172.Em facilities 173may be specified for a single 174.Em level 175by separating them with comma 176.Pq Ql \&, 177characters. 178.Pp 179An asterisk 180.Pq Ql * 181can be used to specify all 182.Em facilities , 183all 184.Em levels 185or all 186.Em programs . 187.Pp 188The special 189.Em facility 190.Dq mark 191receives a message at priority 192.Dq info 193every 20 minutes (see 194.Xr syslogd 8 ) . 195This is not enabled by a 196.Em facility 197field containing an asterisk. 198.Pp 199The special 200.Em level 201.Dq none 202disables a particular 203.Em facility . 204.Pp 205The 206.Em action 207field of each line specifies the action to be taken when the 208.Em selector 209field selects a message. 210There are six forms: 211.Bl -bullet 212.It 213A pathname (beginning with a leading slash). 214Selected messages are appended to the file. 215.It 216A pipe to another program (beginning with a leading pipe symbol). 217The given program is started and presented the selected messages 218on its standard input. 219If the program exits, 220.Xr syslogd 8 221tries to restart it. 222.It 223A hostname (preceded by an at 224.Pq Ql @ 225sign). 226Selected messages are forwarded to the 227.Xr syslogd 8 228program on the named host. 229A port number may be specified using the 230.Ar host:port 231syntax. 232This is optional for UDP and TLS. 233There is no well-known port for syslog over TCP, so in this case it 234is mandatory to specify the port. 235IPv6 addresses can be used by surrounding the address portion with 236square brackets 237.Po 238.Ql [\& 239and 240.Ql ]\& 241.Pc . 242A prefix udp4:// or udp6:// in front of the hostname and after the 243at sign will force IPv4 or IPv6 addresses for UDP transport. 244The prefixes tcp[46]:// or tls[46]:// send messages over TCP or 245TLS, respectively, with an optional IP version 4 or 6. 246.It 247A comma separated list of users. 248Selected messages are written to those users 249if they are logged in. 250.It 251An asterisk. 252Selected messages are written to all logged-in users. 253.It 254A colon, followed by a memory buffer size 255.Pq in kilobytes , 256followed by another colon, followed by a buffer name. 257Selected messages are written to an in-memory buffer that may be read using 258.Xr syslogc 8 . 259Memory buffered logging is useful to provide access to log data on devices 260that lack local storage (e.g. diskless workstations or routers). 261The largest allowed buffer size is 256kb. 262.El 263.Pp 264Blank lines and lines whose first non-blank character is a hash 265.Pq Ql # 266character are ignored. 267.Sh FILES 268.Bl -tag -width /etc/syslog.conf -compact 269.It Pa /etc/syslog.conf 270The 271.Xr syslogd 8 272configuration file. 273.El 274.Sh EXAMPLES 275A configuration file might appear as follows: 276.Bd -literal 277# Log info (and higher) messages from spamd only to 278# a dedicated file, discarding debug messages. 279# Matching messages abort evaluation of further rules. 280!!spamd 281daemon.info /var/log/spamd 282daemon.debug /dev/null 283!* 284 285# Log all kernel messages, authentication messages of 286# level notice or higher and anything of level err or 287# higher to the console. 288# Don't log private authentication messages! 289*.err;kern.*;auth.notice;authpriv.none /dev/console 290 291# Log anything (except mail) of level info or higher. 292# Don't log private authentication messages! 293*.info;mail.none;authpriv.none /var/log/messages 294 295# The authpriv file has restricted access. 296authpriv.* /var/log/secure 297 298# Log all the mail messages in one place. 299mail.* /var/log/maillog 300 301# Everybody gets emergency messages, plus log them on another 302# machine. 303*.emerg * 304*.emerg @arpa.berkeley.edu 305 306# Root and Eric get alert and higher messages. 307*.alert root,eric 308 309# Save mail and news errors of level err and higher in a 310# special file. 311mail,news.err /var/log/spoolerr 312 313# Save ftpd transactions along with mail and news 314!ftpd 315*.* /var/log/spoolerr 316 317# Keep a copy of all logging in a 32k memory buffer named "debug" 318*.debug :32:debug 319 320# Store notices and authpriv messages in a 64k buffer named "important" 321*.notice,authpriv.* :64:important 322 323# feed everything to logsurfer 324*.* |/usr/local/sbin/logsurfer 325.Ed 326.Sh SEE ALSO 327.Xr syslog 3 , 328.Xr syslogc 8 , 329.Xr syslogd 8 330.Sh HISTORY 331The 332.Nm 333file appeared in 334.Bx 4.3 , 335along with 336.Xr syslogd 8 . 337.Pp 338Historic versions of 339.Xr syslogd 8 340did not support space-delimited fields. 341.Sh BUGS 342The effects of multiple selectors are sometimes not intuitive. 343For example 344.Dq mail.crit;*.err 345will select 346.Dq mail 347facility messages at the level of 348.Dq err 349or higher, not at the level of 350.Dq crit 351or higher. 352