1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" from: @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $OpenBSD: syslog.conf.5,v 1.22 2007/05/31 19:20:29 jmc Exp $ 30.\" $NetBSD: syslog.conf.5,v 1.4 1996/01/02 17:41:46 perry Exp $ 31.\" 32.Dd $Mdocdate: May 31 2007 $ 33.Dt SYSLOG.CONF 5 34.Os 35.Sh NAME 36.Nm syslog.conf 37.Nd 38.Xr syslogd 8 39configuration file 40.Sh DESCRIPTION 41The 42.Nm syslog.conf 43file is the configuration file for the 44.Xr syslogd 8 45program. 46It consists of blocks of lines separated by 47.Em program 48specifications, with each line containing two fields: the 49.Em selector 50field which specifies the types of messages and priorities to which the 51line applies, and an 52.Em action 53field which specifies the action to be taken if a message 54.Xr syslogd 55receives matches the selection criteria. 56The 57.Em selector 58field is separated from the 59.Em action 60field by one or more tab characters. 61.Pp 62The 63.Em selectors 64function 65is encoded as a 66.Em facility , 67a period 68.Pq Ql \&. , 69and a 70.Em level , 71with no intervening whitespace. 72Both the 73.Em facility 74and the 75.Em level 76are case insensitive. 77.Pp 78The 79.Em facility 80describes the part of the system generating the message, and is one of 81the following keywords: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, 82mark, news, syslog, user, uucp and local0 through local7. 83These keywords (with the exception of mark) correspond to the 84similar 85.Dq Dv LOG_ 86values specified to the 87.Xr openlog 3 88and 89.Xr syslog 3 90library routines. 91.Pp 92The 93.Em level 94describes the severity of the message, and is a keyword from the 95following ordered list (highest to lowest): emerg, alert, crit, err, 96warning, notice, info and debug. 97These keywords correspond to the 98similar 99.Pq Dv LOG_ 100values specified to the 101.Xr syslog 102library routine. 103.Pp 104Each block of lines is separated from the previous block by a tag. 105The tag is a line beginning with 106.Em !prog 107and each block will be associated with calls to syslog from that specific 108program. 109When a message matches multiple blocks, the action of each matching 110block is taken. 111If no tag is specified at the beginning of the file, 112every line is checked for a match and acted upon 113.Pq at least until a tag is found . 114.Pp 115.Em !!prog 116causes the subsequent block to abort evaluation when a message matches, 117ensuring that only a single set of actions is taken. 118.Em !*\& 119can be used to ensure that any ensuing blocks are further evaluated 120(i.e. cancelling the effect of a 121.Em !prog 122or 123.Em !!prog ) . 124.Pp 125See 126.Xr syslog 3 127for further descriptions of both the 128.Em facility 129and 130.Em level 131keywords and their significance. 132It's preferred that selections be made on 133.Em facility 134rather than 135.Em program , 136since the latter can easily vary in a networked environment. 137In some cases, though, an appropriate 138.Em facility 139simply doesn't exist. 140.Pp 141If a received message matches the specified 142.Em facility 143and is of the specified 144.Em level 145.Pq Em or a higher level , 146and the first word in the message after the date matches the 147.Em program , 148the action specified in the 149.Em action 150field will be taken. 151.Pp 152Multiple 153.Em selectors 154may be specified for a single 155.Em action 156by separating them with semicolon 157.Pq Ql \&; 158characters. 159It is important to note, however, that each 160.Em selector 161can modify the ones preceding it. 162.Pp 163Multiple 164.Em facilities 165may be specified for a single 166.Em level 167by separating them with comma 168.Pq Ql \&, 169characters. 170.Pp 171An asterisk 172.Pq Ql * 173can be used to specify all 174.Em facilities , 175all 176.Em levels 177or all 178.Em programs . 179.Pp 180The special 181.Em facility 182.Dq mark 183receives a message at priority 184.Dq info 185every 20 minutes (see 186.Xr syslogd 8 ) . 187This is not enabled by a 188.Em facility 189field containing an asterisk. 190.Pp 191The special 192.Em level 193.Dq none 194disables a particular 195.Em facility . 196.Pp 197The 198.Em action 199field of each line specifies the action to be taken when the 200.Em selector 201field selects a message. 202There are six forms: 203.Bl -bullet 204.It 205A pathname (beginning with a leading slash). 206Selected messages are appended to the file. 207.It 208A pipe to another program (beginning with a leading pipe symbol). 209The given program is started and presented the selected messages 210on its standard input. 211If the program exits, 212.Xr syslogd 8 213tries to restart it. 214.It 215A hostname (preceded by an at 216.Pq Ql @ 217sign). 218Selected messages are forwarded to the 219.Xr syslogd 220program on the named host. 221A port number may be optionally specified using the 222.Ar host:port 223syntax. 224.It 225A comma separated list of users. 226Selected messages are written to those users 227if they are logged in. 228.It 229An asterisk. 230Selected messages are written to all logged-in users. 231.It 232A colon, followed by a memory buffer size 233.Pq in kilobytes , 234followed by another colon, followed by a buffer name. 235Selected messages are written to an in-memory buffer that may be read using 236.Xr syslogc 8 . 237Memory buffered logging is useful to provide access to log data on devices 238that lack local storage (e.g. diskless workstations or routers). 239The largest allowed buffer size is 256kb. 240.El 241.Pp 242Blank lines and lines whose first non-blank character is a hash 243.Pq Ql # 244character are ignored. 245.Sh FILES 246.Bl -tag -width /etc/syslog.conf -compact 247.It Pa /etc/syslog.conf 248The 249.Xr syslogd 8 250configuration file. 251.El 252.Sh EXAMPLES 253A configuration file might appear as follows: 254.Bd -literal 255# Log info (and higher) messages from spamd only to 256# a dedicated file, discarding debug messages. 257# Matching messages abort evaluation of further rules. 258!!spamd 259daemon.info /var/log/spamd 260daemon.debug /dev/null 261!* 262 263# Log all kernel messages, authentication messages of 264# level notice or higher and anything of level err or 265# higher to the console. 266# Don't log private authentication messages! 267*.err;kern.*;auth.notice;authpriv.none /dev/console 268 269# Log anything (except mail) of level info or higher. 270# Don't log private authentication messages! 271*.info;mail.none;authpriv.none /var/log/messages 272 273# The authpriv file has restricted access. 274authpriv.* /var/log/secure 275 276# Log all the mail messages in one place. 277mail.* /var/log/maillog 278 279# Everybody gets emergency messages, plus log them on another 280# machine. 281*.emerg * 282*.emerg @arpa.berkeley.edu 283 284# Root and Eric get alert and higher messages. 285*.alert root,eric 286 287# Save mail and news errors of level err and higher in a 288# special file. 289mail,news.err /var/log/spoolerr 290 291# Save ftpd transactions along with mail and news 292!ftpd 293*.* /var/log/spoolerr 294 295# Keep a copy of all logging in a 32k memory buffer named "debug" 296*.debug :32:debug 297 298# Store notices and authpriv messages in a 64k buffer named "important" 299*.notice,authpriv.* :64:important 300 301# feed everything to logsurfer 302*.* |/usr/local/sbin/logsurfer 303.Ed 304.Sh SEE ALSO 305.Xr syslog 3 , 306.Xr syslogc 8 , 307.Xr syslogd 8 308.Sh HISTORY 309The 310.Nm 311file appeared in 312.Bx 4.3 , 313along with 314.Xr syslogd 8 . 315.Sh BUGS 316The effects of multiple selectors are sometimes not intuitive. 317For example 318.Dq mail.crit;*.err 319will select 320.Dq mail 321facility messages at the level of 322.Dq err 323or higher, not at the level of 324.Dq crit 325or higher. 326