emo/sysklogd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
05f14d8366
sysklogd/man/syslogd.8
Joachim Nilsson 05f14d8366 Massive cleanup and simplification of syslogd man page 
Most of the functionality in syslogd is now up to par with NetBSD and
FreeBSD syslogd.  Lots of syklogd project features have been removed and
syslog in itself is nothing new and surprising, so much of the text can
be greatly simplified or just removed.

Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
2019-11-13 11:55:17 +01:00

558 lines
16 KiB
Groff
Raw Blame History

.\" -*- nroff -*-
.\" Copyright 1994-1996 Dr. Greg Wettstein, Enjellic Systems Development.
.\" Copyright 1997-2008 Martin Schulze <joey@infodrom.org>
.\" Copyright 2018-2019 Joachim Nilsson <troglobit@gmail.com>
.\"
.\" May be distributed under the GNU General Public License
.\"
.Dd Oct 30, 2019
.Dt syslogd 8
.Os "sysklogd (2.0)"
.Sh NAME
.Nm syslogd
.Nd System Log Daemon
.Sh SYNOPSIS
.Nm
.Op Fl ?46Adnsv
.Op Fl b Ar addr[:port]
.Op Fl b Ar :port
.Op Fl f Ar file
.Op Fl m Ar sec
.Op Fl P Ar file
.Op Fl p Ar sock
.Op Fl r Ar size[:count]
.Sh DESCRIPTION
.Nm
support RFC3164 and RFC5424 style log messages for both local and remote
logging using Internet and UNIX domain sockets. Differences in style is
shown below. The optional companion daemon,
.Xr klogd 8 ,
can be used to trap kernel messages and interpret events like Oops. By
default
.Nm klogd
is not built and
.Nm
handles reading and logging of kernel messages.
.Pp
.Bl -tag -compact -width "RFC3164:"
.It RFC3164:
.Cm Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
.It RFC5424:
.Cm 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.
.El
.Pp
Note, for remote logging the messages are prefixed with
.Cm <PRI>
or
.Cm <PRI>1 ,
respectively.
.Pp
.Nm
is derived from BSD sources, today
.Fx
is the reference for
.Nm
and
.Nx
for the new
.Xr syslogp 3
API, which fully supports the new features of RFC5424. Please note; 1)
the intention is to follow standard BSD
.Nm
behavior, 2) despite having a stand-alone
.Xr syslog 3 ,
and
.Xr syslogp 3
API in
.Lb libsyslog ,
this version of
.Nm
interacts transparently with the standard C library
.Xr syslog 3
API, as implemented in GLIBC, musl libc, and uClibc.
.Pp
When
.Nm
starts up it reads its main configuration file
.Pa /etc/syslog.conf ,
or an alternate file given with the
.Fl f Ar file
option. For details on how to configure syslog priority
(facility.severity) filtering, see
.Xr syslog.conf 5 .
.Sh OPTIONS
.Bl -tag -width Ds
.It Fl 4
Force
.Nm
to use IPv4 addresses only.
.It Fl 6
Force
.Nm
to use IPv6 addresses only.
.It Fl A
Ordinarily,
.Nm
tries to send the message to only one address even if the host has
more than one A or AAAA record. If this option is specified,
.Nm
tries to send the message to all addresses.
.It Fl b Ar address[:service]
.It Fl b Ar :service
Bind to a specific address and/or port. The address can be specified as
a hostname, and the port as a service name. If an IPv6 address is
specified, it should be enclosed with
.Sq \&[
and
.Sq \&] .
The default service is
.Ql syslog
(514/udp). This option can be specified multiple times to bind to
multiple addresses and/or ports.
.It Fl d
Turns on debug mode. This implicitly enables
.Fl n
to prevent
.Nm
from backgrounding itself. Debug information is written to the current
TTY. SIGUSR1 is required to confirm continued debug messages when the
daemon has finished starting up. See the
.Sx DEBUGGING
section for more information.
.It Fl f Ar file
Specify an alternative configuration file instead of the default
.Pa /etc/syslog.conf .
.It Fl m Ar seconds
.Nm
logs a mark timestamp regularly. The default interval between two
.Ql -- MARK --
lines is 20 minutes. This can be changed with this option. Setting
this to zero disables log marks entirely.
.Pp
Depending on other log messages generated these lines may not be written
consecutively. The
.Ql -- MARK --
message is only written if the log file hasn't been touched in
.Ar (seconds * 60) / 2
minutes.
.It Fl n
Run in foreground, required when run from a modern init/supervisor. See
your system
.Xr init 1
for details.
.It Fl P Ar file
Specify an alternate file in which to store the process ID.
The default is
.Pa /var/run/syslog.pid .
.It Fl p Ar socket
Specify an alternate UNIX domain socket instead of the default
.Pa /dev/log .
When a single
.Fl p
option is specified, the default pathname is replaced with the specified
one. When two or more
.Fl p
options are specified, the remaining pathnames are treated as additional
log sockets. This might be needed when running applications in
containers or a
.Xr chroot 8
environment.
.It Fl r Ar size[:count]
Enable built-in support for log rotation of files listed in
.Pa /etc/syslog.conf .
This feature is particulary useful for small and embedded systems that
do not want the overhead of
.Xr cron 8
and
.Xr logrotate 8 .
.Pp
The option controls the max size and number of backup files kept by the
built-in log-rotation. When present on the command line it activates
log rotation of all files with the given maximum size. It is also
possible to control log rotate per log file, see
.Xr syslog.conf 5
for details.
.Pp
The size argument takes optional modifiers; k, M, G. E.g., 100M is
100MB, 42k is 42 kB, etc.
.Pp
The optional number of files kept include both gzipped files and the
first rotated (not zipped) file. The default for this, when omitted,
is 5.
.It Fl s
Operate in secure mode. Do not log messages from remote machines. If
specified twice, no network socket will be opened at all, which also
disables logging to remote machines.
.It Fl v
Print
.Nm
version and exit.
.Sh CONFIGURATION FILE SYNTAX DIFFERENCES
.Nm
uses a slightly different syntax for its configuration file than the
original BSD sources. First, rules may now also have a third field
.Cm ;OPTION .
Several options are supported, comma separated, that control formatting
and log rotation, for more on this see
.Xr syslog.conf 5 .
Second, originally all messages of a specific priority and above were
forwarded to the log file.
.Pp
For example the following line send all output from daemons using the
daemon facilities (debug is the lowest priority, so every higher will
also match) to go into
.Pa /var/log/daemons :
.Bd -literal -offset indent
# Sample syslog.conf
daemon.debug /var/log/daemons
.Ed
.Pp
With
.Nm
this behavior remains the same. The difference is the addition of four
additional specifiers, the asterisk ('*') wildcard, the equation sign
('='), the exclamation mark ('!'), and the minus sign ('-').
.Pp
The '*' specifies that all messages for the specified facility are to be
directed to the destination. Note that this behavior is degenerate with
specifying a priority level of debug. Users have indicated that the
asterisk notation is more intuitive.
.Pp
The '=' wildcard is used to restrict logging to the specified priority
class. This allows, for example, routing only debug messages to a
particular logging source.
.Pp
For example, the following line in
.Pa /etc/syslog.conf
directs debug messages from all sources to the
.Pa /var/log/debug
file in RFC5424 format, with log rotation every 512 kiB, saving only 20
files in total (including the non-rotated file):
.Bd -literal -offset indent
# Sample syslog.conf
*.=debug -/var/log/debug ;RFC5424,rotate=512k:20
.Ed
.Pp
.\" The '!' as the first character of a priority inverts the above
.\" mentioned interpretation.
The '!' is used to exclude logging of the specified priorities. This
affects all (!) possibilities of specifying priorities.
.Pp
For example the following lines in
.Pa syslog.conf
log all messages of facility
.Ql mail
except those with priority
.Ql info
to the
.Pa /var/log/mail
file. All messages from
.Ql news.info
(including) to
.Ql news.crit
(excluding) are logged to the
.Pa /var/log/news
file.
.Bd -literal -offset indent
# Sample syslog.conf
mail.*;mail.!=info /var/log/mail
news.info;news.!crit /var/log/news
.Ed
.Pp
You may use it intuitively as an exception specifier. The above
mentioned interpretation is simply inverted. For example, to skip
every message with facility
.Ar mail :
.Bd -literal -offset indent
mail.none
.Ed
or
.Bd -literal -offset indent
mail.!*
.Ed
or
.Bd -literal -offset indent
mail.!debug
.Ed
.Pp
The '-' may only be used to prefix a filename if you want to omit
sync'ing the file after every write to it.
.Sh REMOTE LOGGING
.Nm
has network support enabled by default. Meaning, when it starts up it
opens a socket for sending to remote servers and also binds it to listen
for incoming syslog messages over UDP port 514. For this to work
correctly the
.Xr services 5
file (typically found in
.Pa /etc/services )
must have the following entry:
.Bd -literal -offset indent
syslog 514/udp
.Ed
.Pp
If this entry is missing
.Nm
by default disables networking completely. This can also be achieved
by the
.Fl s
flag. However,
.Nm
can listen to any port, named or by value. Use the
.Fl b Ar :5514
flag to bind a socket to (unprivileged) port 5514 instead.
.Pp
To forward messages to to a remote host, create a rule in
.Pa syslog.conf
with the name of the hostname to which the messages is to be sent
prepended with an at
.Sq ( @ )
sign. By default,
.Nm
sends messages to remote servers in the old-school
.Ql BSD
format, without timestamp and hostname. This is for compatibility
reasons. Append the
.Ql ;RFC5424
option to the rule to enable RFC5424 style formatting which includes
RFC3339 timestamp and hostname information.
.Pp
For example, to forward
.Sy ALL
messages to a remote host use the following
.Pa syslog.conf
entry:
.Bd -literal -offset indent
# Sample syslogd configuration file to forward all message
# messages to a remote host using RFC5424 style formatting
*.* @hostname ;RFC5424
.Ed
.Pp
To forward all
.Ql kernel
messages to a remote host (in old-school BSD formatting) the
configuration file would be as follows:
.Bd -literal -offset indent
# Sample configuration file to forward all kernel messages
# to a remote host.
kern.* @hostname
.Ed
.Pp
If the remote hostname cannot be resolved at startup, because the
name server might not yet be accessible (maybe started later in
the boot sequence),
.Nm
will retry resolving the name ten times before logging the error.
Another possibility to avoid this is to place the hostname in
.Pa /etc/hosts .
.Pp
If the remote host is located in the same domain as the host,
.Nm
is running on, only the simple hostname will be logged instead of the
whole FQDN.
.Sh NAMED PIPES
A FIFO, or named pipe, can be used as a destination for log messages by
prepending a pipy symbol ('|') to the name of the file. This is very
handy for debugging. Note, the FIFO must be created with the
.Xr mkfifo 1
command before
.Nm
is started.
.Pp
The following configuration file routes debug messages from the kernel
to a FIFO:
.Bd -literal -offset indent
# Sample configuration to route kernel debugging messages
# ONLY to /var/log/debug which is a named pipe.
kern.=debug |/var/log/debug
.Ed
.Sh SECURITY
There is the potential for
.Nm
to be used as a conduit for a denial of service attack. Thanks go to
.An John Morrison Aq Mt jmorriso@rflab.ee.ubc.ca
for alerting the project of this. A rogue program(mer) could very
easily flood
.Nm
with syslog messages resulting in the log files consuming all the
remaining space on the filesystem. Activating logging over network
domain sockets will of course expose a system to risks outside of
programs or individuals on the local machine.
.Pp
There are a number of methods of protecting a machine:
.Bl -enum
.It
Implement kernel firewalling to limit which hosts or networks have
access to the 514/UDP socket.
.It
Logging can be directed to an isolated or non-root filesystem which,
if filled, will not impair the machine.
.It
The ext2 filesystem can be used which can be configured to limit a
certain percentage of a filesystem to usage by root only.
.Sy NOTE:
this requires
.Nm
to be run as a non-root process. Also, this prevents usage of remote
logging since
.Nm
will be unable to bind to the 514/UDP socket.
.It
Disabling inet domain sockets will limit risk to the local machine.
.El
.Sh DEBUGGING
When debug mode (
.Fl d )
is enabled
.Nm
is very verbose, writing most of what it does on stdout. Whenever
the configuration file is reread and re-parsed you'll see a tabular,
corresponding to the internal data structure. This tabular consists of
four fields:
.Pp
.Bl -tag -width arguments
.It number
This field contains a serial number starting by zero. This number
represents the position in the internal data structure (i.e. the array).
If one number is left out then there might be an error in the
corresponding line in
.Pa /etc/syslog.conf .
.It pattern
This field is tricky and represents the internal structure exactly.
Every column stands for a facility, refer to
.Xr syslogp 3 .
As you can see, there are still some facilities left free for former
use, only the left most are used. Every field in a column represents
the priorities, refer to
.Xr syslogp 3 .
.It action
This field describes the particular action that takes place whenever a
message is received that matches the pattern. Refer to the
.Xr syslog.conf 5
manpage for all possible actions.
.It arguments
This field shows additional arguments to the actions in the last field.
For file-logging this is the filename for the logfile; for user-logging
this is a list of users; for remote logging this is the hostname of the
machine to log to; for console-logging this is the used console; for
tty-logging this is the specified tty; wall has no additional arguments.
.El
.Sh SIGNALS
.Nm
supports the following signals:
.Pp
.Bl -tag -width "TERM, QUIT"
.It HUP
This lets
.Nm
perform a re-initialization. All open files are closed, the
configuration file (see above) is reread and the
.Xr syslog 3
facility is started again.
.It TERM
This tells
.Nm
to exit gracefully. Flushing any log files to disk.
.It INT, QUIT
In debug mode these are ignored. In normal operation they act as
SIGTERM.
.It USR1
In debug mode this switches debugging on/off. In normal operation
it is ignored.
.El
.Pp
For convenience the PID is by default stored in
.Pa /var/run/syslogd.pid .
A script can look for the existance of this file to determine if
.Nm
is running, and then send signals:
.Bd -literal -offset indent
kill -SIGNAL `cat /var/run/syslogd.pid`
.Ed
.Sh FILES
.Bl -tag -width TERM
.It Pa /dev/log
The UNIX domain socket to from where local syslog messages are read.
.It Pa /proc/kmsg
The Linux kernel log file
.Nm
reads when built without the optional
.Nm klogd .
.It Pa /etc/syslog.conf
Configuration file for
.Nm .
See
.Xr syslog.conf 5
for more information.
.It Pa /etc/syslog.d/*.conf
Conventional sub-directory of
.Pa .conf
files read by
.Nm .
.It Pa /etc/syslog.d/50-default.conf
Conventional name for default rules.
.It Pa /var/run/syslogd.pid
The file containing the process id of
.Nm .
.El
.Sh BUGS
The ability to log messages received in UDP packets is equivalent to an
unauthenticated remote disk-filling service, and should probably be
disabled
.Fl ( s )
by default. (The shipped systemd unit file disables this by default.)
A future version of
.Nm
may include support for TLS, RFC5425, which includes authentication of
both senders and receivers.
.Pp
As mentioned in the
.Sx DESCRIPTION ,
.Nm
transparently supports the standard C library
.Xr syslog 3
API. If a binary linked to the standard C libraries does not operate
correctly, this should be reported as a bug to this project. See below
for contact details.
.Pp
.Nm
doesn't change the file mode of opened log files at any stage. If a
file is created it is world readable. If you want to avoid this, you
have to create it and change permissions on your own. This could be
done in combination with rotating logfiles using the
.Xr savelog 8
program that is shipped in the
.Nm smail
3.x distribution. Remember that it might be a security hole if
everybody is able to read
.Ql auth.*
messages as these might contain passwords.
.Sh SEE ALSO
.Xr syslog.conf 5 ,
.Xr klogd 8 ,
.Xr logger 1 ,
.Xr syslog 2 ,
.Xr syslogp 3 ,
.Xr services 5 ,
.Xr savelog 8 .
.Sh AUTHORS
The system log daemon
.Nm
is originally taken from BSD sources and later updated with new
funcitonality from
.Fx
and
.Nx .
.An -nosplit
.An Greg Wettstein Aq Mt greg@wind.enjellic.com
performed the initial port to Linux.
.An Martin Schulze Aq Mt joey@infodrom.org
fixed some bugs, added several new features and took over maintenance.
.An Joachim Nilsson Aq Mt troglobit@gmail.com
later picked up the aging
.Nm sysklogd
project and gave it a home at GitHub with new features imported from
.Fx
and
.Nx .
Reference in New Issue View Git Blame Copy Permalink