1.\" $OpenBSD: syslogd.8,v 1.56 2017/07/05 09:40:16 mpi Exp $ 2.\" 3.\" Copyright (c) 1983, 1986, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93 31.\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $ 32.\" 33.Dd $Mdocdate: July 5 2017 $ 34.Dt SYSLOGD 8 35.Os 36.Sh NAME 37.Nm syslogd 38.Nd log system messages 39.Sh SYNOPSIS 40.Nm syslogd 41.Bk -words 42.Op Fl 46dFhnruVZ 43.Op Fl a Ar path 44.Op Fl C Ar CAfile 45.Op Fl c Ar cert_file 46.Op Fl f Ar config_file 47.Op Fl K Ar CAfile 48.Op Fl k Ar key_file 49.Op Fl m Ar mark_interval 50.Op Fl p Ar log_socket 51.Op Fl S Ar listen_address 52.Op Fl s Ar reporting_socket 53.Op Fl T Ar listen_address 54.Op Fl U Ar bind_address 55.Ek 56.Sh DESCRIPTION 57.Nm 58writes system messages to log files or a user's terminal. 59Output can be sent to other programs 60for further processing. 61It can also securely send and receive log messages 62to and from remote hosts. 63.Pp 64The options are as follows: 65.Bl -tag -width Ds 66.It Fl 4 67Forces 68.Nm 69to use only IPv4 addresses for UDP. 70.It Fl 6 71Forces 72.Nm 73to use only IPv6 addresses for UDP. 74.It Fl a Ar path 75Specify a location where 76.Nm 77should place an additional log socket. 78The primary use for this is to place additional log sockets in 79.Pa /dev/log 80of various chroot filespaces, though the need for these is 81less urgent after the introduction of 82.Xr sendsyslog 2 . 83.It Fl C Ar CAfile 84PEM encoded file containing CA certificates used for certificate 85validation of a remote loghost; 86the default is 87.Pa /etc/ssl/cert.pem . 88.It Fl c Ar cert_file 89PEM encoded file containing the client certificate for TLS connections 90to a remote loghost. 91The default is not to use a client certificate for the outgoing connection 92to a syslog server. 93This option has to be used together with 94.Fl k Ar key_file . 95.It Fl d 96Enable debugging to the standard output, 97and do not disassociate from the controlling terminal. 98.It Fl F 99Run in the foreground instead of disassociating from the controlling 100terminal and running as a background daemon. 101.It Fl f Ar config_file 102Specify the pathname of an alternate configuration file; 103the default is 104.Pa /etc/syslog.conf . 105.It Fl h 106Include the hostname when sending messages to a remote loghost. 107.It Fl K Ar CAfile 108PEM encoded file containing CA certificates used for client certificate 109validation on the local listen socket. 110By default incoming connections from any TLS client are allowed. 111.It Fl k Ar key_file 112PEM encoded file containing the client private key for TLS connections 113to a remote loghost. 114This option has to be used together with 115.Fl c Ar cert_file . 116.It Fl m Ar mark_interval 117Select the number of minutes between 118.Dq mark 119messages; the default is 20 minutes. 120.It Fl n 121Print source addresses numerically rather than symbolically. 122This saves an address-to-name lookup for each incoming message, 123which can be useful when combined with the 124.Fl u 125option on a loghost with no DNS cache. 126Messages from the local host will still be logged with 127the symbolic local host name. 128.It Fl p Ar log_socket 129Specify the pathname of an alternate log socket to be used instead; 130the default is 131.Pa /dev/log . 132.It Fl r 133Print duplicate lines immediately and suppress the "last message 134repeated" summary when piping to another program or forwarding to 135a remote loghost. 136If given twice, this is done for all log actions. 137.It Fl S Ar listen_address 138Create a TLS listen socket for receiving encrypted messages and 139bind it to the specified address. 140A port number may be specified using the 141.Ar host : Ns Ar port 142syntax. 143The first 144.Ar listen_address 145is also used to find a suitable server key and certificate in 146.Pa /etc/ssl/ . 147.It Fl s Ar reporting_socket 148Specify path to an 149.Dv AF_LOCAL 150socket for use in reporting logs stored in memory buffers using 151.Xr syslogc 8 . 152.It Fl T Ar listen_address 153Create a TCP listen socket for receiving messages and bind it to 154the specified address. 155There is no well-known port for syslog over TCP, so a port number 156must be specified using the 157.Ar host : Ns Ar port 158syntax. 159.It Fl U Ar bind_address 160Create a UDP socket for receiving messages and bind it to the 161specified address. 162This can be used, for example, with a pf divert-to rule to receive 163packets when syslogd is bound to localhost. 164A port number may be specified using the 165.Ar host : Ns Ar port 166syntax. 167.It Fl u 168Select the historical 169.Dq insecure 170mode, in which syslogd will 171accept input from the UDP port. 172Some software wants this, but you can be subjected to a variety of 173attacks over the network, including attackers remotely filling logs. 174.It Fl V 175Do not perform remote server certificate and hostname validation 176when sending messages. 177.It Fl Z 178Generate timestamps in ISO format. 179This includes the year and the timezone, and all logging is done 180in UTC. 181.El 182.Pp 183The options 184.Fl a , S , T , 185and 186.Fl U 187can be given more than once to specify multiple input sources. 188.Pp 189.Nm 190reads its configuration file, 191.Xr syslog.conf 5 , 192when it starts up and whenever it 193receives a hangup signal. 194It creates the file 195.Pa /var/run/syslog.pid 196and stores its process ID there. 197The PID can be used to kill or reconfigure 198.Nm . 199.Pp 200.Nm 201opens a UDP socket, as specified 202in 203.Pa /etc/services , 204for sending forwarded messages. 205By default all incoming data on this socket is discarded. 206If insecure mode is switched on with 207.Fl u , 208it will also read messages from the socket. 209.Nm 210also opens and reads messages from the 211.Ux Ns -domain 212socket 213.Pa /dev/log , 214and from the special device 215.Pa /dev/klog 216(to read kernel messages), 217and from 218.Xr sendsyslog 2 219(to read messages from userland processes). 220.Pp 221The message sent to 222.Nm 223should consist of a single line. 224The message can contain a priority code, which should be a preceding 225decimal number in angle braces, for example, 226.Dq <5> . 227This priority code should map into the priorities defined in the 228include file 229.In sys/syslog.h . 230.Pp 231When sending syslog messages to a remote loghost via TLS, the 232server's certificate and hostname are validated to prevent malicious 233servers from reading messages. 234If the server has a certificate with a matching hostname signed by 235a CA in 236.Pa /etc/ssl/cert.pem , 237it is verified with that by default. 238If the server has a certificate with a matching hostname signed by 239a private CA, use the 240.Fl C 241option and put that CA into 242.Ar CAfile . 243Validation can be explicitly turned off using the 244.Fl V 245option. 246If the server is accepting messages only from clients with a trusted 247client certificate, use the 248.Fl k 249and 250.Fl c 251options to authenticate 252.Nm 253with this certificate. 254.Pp 255When receiving syslog messages from a TLS client, there must be 256a server key and certificate in 257.Pa /etc/ssl/private/host Ns Oo : Ns Ar port Oc Ns Ar .key 258and 259.Pa /etc/ssl/host Ns Oo : Ns Ar port Oc Ns Ar .crt . 260If the client uses certificates to authenticate, the CA of the 261client's certificate may be added to 262.Ar CAfile 263using the 264.Fl K 265option to protect from messages being spoofed by malicious senders. 266.Sh FILES 267.Bl -tag -width /var/run/syslog.pid -compact 268.It Pa /dev/log 269Name of the 270.Ux Ns -domain 271datagram log socket. 272.It Pa /dev/klog 273Kernel log device. 274.It Pa /etc/ssl/ 275Private keys and public certificates. 276.It Pa /etc/syslog.conf 277Configuration file. 278.It Pa /var/run/syslog.pid 279Process ID of current 280.Nm . 281.El 282.Sh SEE ALSO 283.Xr logger 1 , 284.Xr syslog 3 , 285.Xr services 5 , 286.Xr syslog.conf 5 , 287.Xr newsyslog 8 , 288.Xr syslogc 8 289.Sh HISTORY 290The 291.Nm 292command appeared in 293.Bx 4.3 . 294.Sh CAVEATS 295.Nm 296does not create files, 297it only logs to existing ones. 298