1.\" $OpenBSD: syslogd.8,v 1.53 2017/01/02 15:58:02 bluhm Exp $ 2.\" 3.\" Copyright (c) 1983, 1986, 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" from: @(#)syslogd.8 8.1 (Berkeley) 6/6/93 31.\" $NetBSD: syslogd.8,v 1.3 1996/01/02 17:41:48 perry Exp $ 32.\" 33.Dd $Mdocdate: January 2 2017 $ 34.Dt SYSLOGD 8 35.Os 36.Sh NAME 37.Nm syslogd 38.Nd log system messages 39.Sh SYNOPSIS 40.Nm syslogd 41.Bk -words 42.Op Fl 46dFhnuVZ 43.Op Fl a Ar path 44.Op Fl C Ar CAfile 45.Op Fl c Ar cert_file 46.Op Fl f Ar config_file 47.Op Fl K Ar CAfile 48.Op Fl k Ar key_file 49.Op Fl m Ar mark_interval 50.Op Fl p Ar log_socket 51.Op Fl S Ar listen_address 52.Op Fl s Ar reporting_socket 53.Op Fl T Ar listen_address 54.Op Fl U Ar bind_address 55.Ek 56.Sh DESCRIPTION 57.Nm 58writes system messages to log files or a user's terminal. 59Output can be sent to other programs 60for further processing. 61It can also securely send and receive log messages 62to and from remote hosts. 63.Pp 64The options are as follows: 65.Bl -tag -width Ds 66.It Fl 4 67Forces 68.Nm 69to use only IPv4 addresses for UDP. 70.It Fl 6 71Forces 72.Nm 73to use only IPv6 addresses for UDP. 74.It Fl a Ar path 75Specify a location where 76.Nm 77should place an additional log socket. 78The primary use for this is to place additional log sockets in 79.Pa /dev/log 80of various chroot filespaces, though the need for these is 81less urgent after the introduction of 82.Xr sendsyslog 2 . 83.It Fl C Ar CAfile 84PEM encoded file containing CA certificates used for certificate 85validation of a remote loghost; 86the default is 87.Pa /etc/ssl/cert.pem . 88.It Fl c Ar cert_file 89PEM encoded file containing the client certificate for TLS connections 90to a remote host. 91The default is not to use a client certificate for the connection 92to a syslog server. 93This option has to be used together with 94.Fl k Ar key_file . 95.It Fl d 96Enable debugging to the standard output, 97and do not disassociate from the controlling terminal. 98.It Fl F 99Run in the foreground instead of disassociating from the controlling 100terminal and running as a background daemon. 101.It Fl f Ar config_file 102Specify the pathname of an alternate configuration file; 103the default is 104.Pa /etc/syslog.conf . 105.It Fl h 106Include the hostname when forwarding messages to a remote host. 107.It Fl K Ar CAfile 108PEM encoded file containing CA certificates used for client certificate 109validation on the local server socket. 110By default incoming connections from any TLS server are allowed. 111.It Fl k Ar key_file 112PEM encoded file containing the client private key for TLS connections 113to a remote host. 114This option has to be used together with 115.Fl c Ar cert_file . 116.It Fl m Ar mark_interval 117Select the number of minutes between 118.Dq mark 119messages; the default is 20 minutes. 120.It Fl n 121Print source addresses numerically rather than symbolically. 122This saves an address-to-name lookup for each incoming message, 123which can be useful when combined with the 124.Fl u 125option on a loghost with no DNS cache. 126Messages from the local host will still be logged with 127the symbolic local host name. 128.It Fl p Ar log_socket 129Specify the pathname of an alternate log socket to be used instead; 130the default is 131.Pa /dev/log . 132.It Fl S Ar listen_address 133Create a TLS listen socket for receiving encrypted messages and 134bind it to the specified address. 135A port number may be specified using the 136.Ar host : Ns Ar port 137syntax. 138The parameter is also used to find a suitable server key and 139certificate in 140.Pa /etc/ssl/ . 141.It Fl s Ar reporting_socket 142Specify path to an 143.Dv AF_LOCAL 144socket for use in reporting logs stored in memory buffers using 145.Xr syslogc 8 . 146.It Fl T Ar listen_address 147Create a TCP listen socket for receiving messages and bind it to 148the specified address. 149There is no well-known port for syslog over TCP, so a port number 150must be specified using the 151.Ar host : Ns Ar port 152syntax. 153.It Fl U Ar bind_address 154Create a UDP socket for receiving messages and bind it to the 155specified address. 156This can be used, for example, with a pf divert-to rule to receive 157packets when syslogd is bound to localhost. 158A port number may be specified using the 159.Ar host : Ns Ar port 160syntax. 161.It Fl u 162Select the historical 163.Dq insecure 164mode, in which syslogd will 165accept input from the UDP port. 166Some software wants this, but you can be subjected to a variety of 167attacks over the network, including attackers remotely filling logs. 168.It Fl V 169Do not perform remote server certificate and hostname validation 170when sending messages. 171.It Fl Z 172Generate timestamps in ISO format. 173This includes the year and the timezone, and all logging is done 174in UTC. 175.El 176.Pp 177The options 178.Fl a , T , 179and 180.Fl U 181can be given more than once to specify multiple input sources. 182.Pp 183.Nm 184reads its configuration file, 185.Xr syslog.conf 5 , 186when it starts up and whenever it 187receives a hangup signal. 188It creates the file 189.Pa /var/run/syslog.pid 190and stores its process ID there. 191The PID can be used to kill or reconfigure 192.Nm . 193.Pp 194.Nm 195opens a UDP socket, as specified 196in 197.Pa /etc/services , 198for sending forwarded messages. 199By default all incoming data on this socket is discarded. 200If insecure mode is switched on with 201.Fl u , 202it will also read messages from the socket. 203.Nm 204also opens and reads messages from the 205.Ux Ns -domain 206socket 207.Pa /dev/log , 208and from the special device 209.Pa /dev/klog 210(to read kernel messages), 211and from 212.Xr sendsyslog 2 213(to read messages from userland processes). 214.Pp 215The message sent to 216.Nm 217should consist of a single line. 218The message can contain a priority code, which should be a preceding 219decimal number in angle braces, for example, 220.Dq <5> . 221This priority code should map into the priorities defined in the 222include file 223.In sys/syslog.h . 224.Pp 225When sending syslog messages to a remote loghost via TLS, the 226server's certificate and hostname are validated to prevent malicious 227servers from reading messages. 228If the server has a certificate with a matching hostname signed by 229a CA in 230.Pa /etc/ssl/cert.pem , 231it is verified with that by default. 232If the server has a certificate with a matching hostname signed by 233a private CA, use the 234.Fl C 235option and put that CA into 236.Ar CAfile . 237Validation can be explicitly turned off using the 238.Fl V 239option. 240If the server is accepting messages only from clients with a trusted 241client certificate, use the 242.Fl k 243and 244.Fl c 245options to authenticate 246.Nm 247with this certificate. 248.Pp 249When receiving syslog messages from a TLS client, there must be 250a server key and certificate in 251.Pa /etc/ssl/private/host Ns Oo : Ns Ar port Oc Ns Ar .key 252and 253.Pa /etc/ssl/host Ns Oo : Ns Ar port Oc Ns Ar .crt . 254If the client uses certificates to authenticate, the CA of the 255client's certificate may be added to 256.Ar CAfile 257using the 258.Fl K 259option to protect from messages being spoofed by malicious clients. 260.Sh FILES 261.Bl -tag -width /var/run/syslog.pid -compact 262.It Pa /dev/log 263Name of the 264.Ux Ns -domain 265datagram log socket. 266.It Pa /dev/klog 267Kernel log device. 268.It Pa /etc/ssl/ 269Private keys and public certificates. 270.It Pa /etc/syslog.conf 271Configuration file. 272.It Pa /var/run/syslog.pid 273Process ID of current 274.Nm . 275.El 276.Sh SEE ALSO 277.Xr logger 1 , 278.Xr syslog 3 , 279.Xr services 5 , 280.Xr syslog.conf 5 , 281.Xr newsyslog 8 , 282.Xr syslogc 8 283.Sh HISTORY 284The 285.Nm 286command appeared in 287.Bx 4.3 . 288.Sh CAVEATS 289.Nm 290does not create files, 291it only logs to existing ones. 292