141b3d5c7c
Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
462 lines
14 KiB
Groff
462 lines
14 KiB
Groff
.\" syslog.conf - syslogd(8) configuration file
|
|
.\" Copyright (c) 1995-2009 Martin Schulze <joey@infodrom.org>
|
|
.\"
|
|
.\" This file is part of the sysklogd package, a kernel and system log daemon.
|
|
.\"
|
|
.\" This program is free software; you can redistribute it and/or modify
|
|
.\" it under the terms of the GNU General Public License as published by
|
|
.\" the Free Software Foundation; either version 2 of the License, or
|
|
.\" (at your option) any later version.
|
|
.\"
|
|
.\" This program is distributed in the hope that it will be useful,
|
|
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
.\" GNU General Public License for more details.
|
|
.\"
|
|
.\" You should have received a copy of the GNU General Public License
|
|
.\" along with this program; if not, write to the Free Software
|
|
.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
|
|
.\"
|
|
.TH SYSLOG.CONF 5 "27 November 2009" "Version 1.5" "Linux System Administration"
|
|
.SH NAME
|
|
syslog.conf \- syslogd(8) configuration file
|
|
.SH DESCRIPTION
|
|
The
|
|
.I syslog.conf
|
|
file is the main configuration file for
|
|
.BR syslogd (8)
|
|
which logs system messages on *nix systems. This file specifies rules
|
|
for logging. For special features see the
|
|
.BR sysklogd (8)
|
|
manpage.
|
|
|
|
Every rule consists of two fields, a
|
|
.I selector
|
|
field an
|
|
.I action
|
|
and an optional
|
|
.I logrotate
|
|
field. The fields are separated by one or more spaces or tabs. The
|
|
selector field specifies a pattern of facilities and priorities
|
|
belonging to the specified action. The action details where or what to
|
|
do with the selected input. The optional logrotate field is only for
|
|
files and details the max SIZE:COUNT a file can reach before it is
|
|
rotated, and later compressed. The log rotated feature is mostly
|
|
intended for embedded systems that do not want to have cron and a
|
|
separate log rotate daemon.
|
|
|
|
Lines starting with a hash mark (``#'') and empty lines are ignored.
|
|
|
|
This variant of
|
|
.B syslogd
|
|
is able to understand a slightly extended syntax compared to the
|
|
original BSD syslogd.
|
|
One rule may be divided
|
|
into several lines if the leading line is terminated with an backslash
|
|
(``\\'').
|
|
.SH SELECTORS
|
|
The selector field consists of two parts, a
|
|
.I facility
|
|
and a
|
|
.IR priority ,
|
|
separated by a period (``.'').
|
|
Both parts are case insensitive and can also be specified as decimal
|
|
numbers corresponding to the definitions in
|
|
.IR /usr/include/syslog.h .
|
|
It is safer to use symbolic names rather than decimal numbers.
|
|
Both facilities and priorities are described in
|
|
.BR syslog (3).
|
|
The names mentioned below correspond to the similar
|
|
.BR LOG_ -values
|
|
in
|
|
.IR /usr/include/syslog.h .
|
|
|
|
The
|
|
.I facility
|
|
is one of the following keywords:
|
|
.BR auth ", " authpriv ", " cron ", " daemon ", " ftp ", " kern ", " lpr ", "
|
|
.BR mail ", " mark ", " news ", " security " (same as " auth "), "
|
|
.BR syslog ", " user ", " uucp " and " local0 " through " local7 .
|
|
The keyword
|
|
.B security
|
|
is deprecated and
|
|
.B mark
|
|
is only for internal use and therefore should not be used in
|
|
applications. The
|
|
.I facility
|
|
specifies the subsystem that produced the message, e.g. all mail
|
|
programs log with the mail facility
|
|
.RB ( LOG_MAIL )
|
|
if they log using syslog.
|
|
|
|
In most cases anyone can log to any facility, so we rely on convention
|
|
for the correct facility to be chosen. However, generally only the
|
|
kernel can log to the "kern" facility. This is because the implementation
|
|
of openlog() and syslog() in glibc does not allow logging to the "kern"
|
|
facility. Klogd circumvents this restriction when logging to syslogd
|
|
by reimplementing those functions itself.
|
|
|
|
The
|
|
.I priority
|
|
is one of the following keywords, in ascending order:
|
|
.BR debug ", " info ", " notice ", " warning ", " warn " (same as "
|
|
.BR warning "), " err ", " error " (same as " err "), " crit ", "
|
|
.BR alert ", " emerg ", " panic " (same as " emerg ).
|
|
The keywords
|
|
.BR warn ", " error " and " panic
|
|
are deprecated and should not be used anymore. The
|
|
.I priority
|
|
defines the severity of the message
|
|
|
|
The behavior of the original BSD syslogd is that all messages of the
|
|
specified priority and higher are logged according to the given
|
|
action. This
|
|
.BR syslogd (8)
|
|
behaves the same, but has some extensions.
|
|
|
|
In addition to the above mentioned names the
|
|
.BR syslogd (8)
|
|
understands the following extensions: An asterisk (``*'') stands for
|
|
all facilities or all priorities, depending on where it is used
|
|
(before or after the period). The keyword
|
|
.B none
|
|
stands for no priority of the given facility.
|
|
|
|
Multiple facilities may be specified for a single priority pattern in
|
|
one statement using the comma (``,'') operator to separate the
|
|
facilities. You may specify as many facilities as you want.
|
|
Please note that only the facility part from
|
|
such a statement is taken, a priority part would be ignored.
|
|
|
|
Multiple selectors may be specified for a single
|
|
.I action
|
|
using the semicolon (``;'') separator. Selectors are processed from
|
|
left to right, with each selector being able to overwrite preceding ones.
|
|
Using this behavior you are able to exclude some priorities from the pattern.
|
|
|
|
This
|
|
.BR syslogd (8)
|
|
has a syntax extension to the original BSD source, which makes its use
|
|
more intuitive. You may precede every priority with an equation sign
|
|
(``='') to specify that
|
|
.B syslogd
|
|
should only refer to this single priority and not this priority and
|
|
all higher priorities.
|
|
|
|
You may also precide the priority with an exclamation mark (``!'') if
|
|
you want
|
|
.B syslogd
|
|
to ignore this priority and all higher priorities.
|
|
You may even use both, the exclamation mark and the equation sign if
|
|
you want
|
|
.B syslogd
|
|
to ignore only this single priority. If you use both extensions
|
|
than the exclamation mark must occur before the equation sign, just
|
|
use it intuitively.
|
|
.SH ACTIONS
|
|
The action field of a rule describes the abstract term
|
|
``logfile''. A ``logfile'' need not to be a real file, btw. The
|
|
.BR syslogd (8)
|
|
provides the following actions.
|
|
|
|
.SS Regular File
|
|
Typically messages are logged to real files.
|
|
The filename is specified with an absolute pathname.
|
|
|
|
You may prefix each entry with a minus sign (``-'') to avoid syncing
|
|
the file after each log message. Note that you might lose information if
|
|
the system crashes right after a write attempt. Nevertheless this
|
|
might give you back some performance, especially if you run programs
|
|
that use logging in a very verbose manner.
|
|
|
|
.SS Named Pipes
|
|
This version of
|
|
.BR syslogd (8)
|
|
has support for logging output to
|
|
named pipes (fifos). A fifo or named pipe can be used as
|
|
a destination for log messages by prepending a pipe symbol (``|'') to
|
|
the name of the file. This is handy for debugging. Note that the fifo
|
|
must be created with the
|
|
.BR mkfifo (1)
|
|
command before
|
|
.BR syslogd (8)
|
|
is started.
|
|
|
|
.SS Terminal and Console
|
|
If the file you specified is a tty, special tty-handling is done, same
|
|
with
|
|
.IR /dev/console .
|
|
|
|
.SS Remote Machine
|
|
This
|
|
.BR syslogd (8)
|
|
provides full remote logging, i.e. is able to send messages to a
|
|
remote host running
|
|
.BR syslogd (8)
|
|
and to receive messages from remote hosts. The remote
|
|
host won't forward the message again, it will just log them
|
|
locally. To forward messages to another host, prepend the hostname
|
|
with the at sign (``@'').
|
|
|
|
Using this feature you are able to collect all syslog messages on a
|
|
central host, if all other machines log remotely to that one. This
|
|
reduces administration needs.
|
|
|
|
Using a named pipe log method, messages from remote hosts can be sent
|
|
to a log program. By reading log messages line by line such a program
|
|
is able to sort log messages by host name or program name on the
|
|
central log host. This way it is possible to split the log into
|
|
separate files.
|
|
|
|
.SS List of Users
|
|
Usually critical messages are also directed to ``root'' on that
|
|
machine. You can specify a list of users that ought to receive the
|
|
log message on the terminal by writing their usernames.
|
|
You may specify more than one user by
|
|
separating the usernames with commas (``,''). If they're logged in they
|
|
will receive the log messages.
|
|
|
|
.SS Everyone logged on
|
|
Emergency messages often go to all users currently online to notify
|
|
them that something strange is happening with the system. To specify
|
|
this
|
|
.IR wall (1)-feature
|
|
use an asterisk (``*'').
|
|
.SH EXAMPLES
|
|
Here are some examples, partially taken from a real existing site and
|
|
configuration. Hopefully they answer all questions about
|
|
configuring this
|
|
.BR syslogd (8) .
|
|
If not, don't hesitate to contact the mailing list.
|
|
.IP
|
|
.nf
|
|
# Store critical stuff in critical
|
|
#
|
|
*.=crit;kern.none /var/adm/critical
|
|
.fi
|
|
.LP
|
|
This will store all messages of priority
|
|
.B crit
|
|
in the file
|
|
.IR /var/adm/critical ,
|
|
with the exception of any kernel messages.
|
|
|
|
.IP
|
|
.nf
|
|
# Kernel messages are stored in the kernel file,
|
|
# critical messages and higher ones also go
|
|
# to another host and to the console
|
|
#
|
|
kern.* /var/adm/kernel
|
|
kern.crit @finlandia
|
|
kern.crit /dev/console
|
|
kern.info;kern.!err /var/adm/kernel-info
|
|
.fi
|
|
.LP
|
|
The first rule directs any message that has the kernel facility to the
|
|
file
|
|
.IR /var/adm/kernel .
|
|
(But recall that only the kernel itself can log to this facility.)
|
|
|
|
The second statement directs all kernel messages of priority
|
|
.B crit
|
|
and higher to the remote host finlandia. This is useful, because if
|
|
the host crashes and the disks get irreparable errors you might not be
|
|
able to read the stored messages. If they're on a remote host, too,
|
|
you still can try to find out the reason for the crash.
|
|
|
|
The third rule directs kernel messages of priority crit and higher to
|
|
the actual console, so the person who works on the machine will get
|
|
them, too.
|
|
|
|
The fourth line tells the syslogd to save all kernel messages that
|
|
come with priorities from
|
|
.BR info " up to " warning
|
|
in the file
|
|
.IR /var/adm/kernel-info .
|
|
|
|
This is an example of the 2nd selector overwriting part of the first
|
|
one. The first selector selects kernel messages of priority
|
|
.BR info
|
|
and higher. The second selector filters out kernel messages of
|
|
priority
|
|
.BR error
|
|
and higher. This leaves just priorities
|
|
.BR info ", " notice " and " warning
|
|
to get logged.
|
|
|
|
.IP
|
|
.nf
|
|
# The tcp wrapper logs with mail.info, we display
|
|
# all the connections on tty12
|
|
#
|
|
mail.=info /dev/tty12
|
|
.fi
|
|
.LP
|
|
This directs all messages that use
|
|
.BR mail.info " (in source " LOG_MAIL " | " LOG_INFO )
|
|
to
|
|
.IR /dev/tty12 ,
|
|
the 12th console. For example the tcpwrapper
|
|
.BR tcpd (8)
|
|
uses this as its default.
|
|
|
|
.IP
|
|
.nf
|
|
# Write all mail related logs to a file
|
|
#
|
|
mail.*;mail.!=info /var/adm/mail
|
|
.fi
|
|
.LP
|
|
This pattern matches all messages that come with the
|
|
.B mail
|
|
facility, except for the
|
|
.B info
|
|
priority. These will be stored in the file
|
|
.IR /var/adm/mail .
|
|
|
|
.IP
|
|
.nf
|
|
# Log all mail.info and news.info messages to info
|
|
#
|
|
mail,news.=info /var/adm/info
|
|
.fi
|
|
.LP
|
|
This will extract all messages that come either with
|
|
.BR mail.info " or with " news.info
|
|
and store them in the file
|
|
.IR /var/adm/info .
|
|
|
|
.IP
|
|
.nf
|
|
# Log info and notice messages to messages file
|
|
#
|
|
*.=info;*.=notice;\\
|
|
mail.none /var/log/messages
|
|
.fi
|
|
.LP
|
|
The following is almost the same but will also log rotate and compress
|
|
aged out messages. Notice the leading '-' to ensure the file is flushed
|
|
to disk after each message.
|
|
|
|
.IP
|
|
.nf
|
|
# Log all messages, including kernel, to messages file
|
|
# rotated every 100 kiB and keep up to 10 aged out and
|
|
# compressed files.
|
|
*.*;kern,kern.none -/log/messages 1048576:10
|
|
|
|
.fi
|
|
.LP
|
|
This lets the
|
|
.B syslogd
|
|
log all messages that come with either the
|
|
.BR info " or the " notice
|
|
priority into the file
|
|
.IR /var/log/messages ,
|
|
except for all messages that use the
|
|
.B mail
|
|
facility.
|
|
|
|
.IP
|
|
.nf
|
|
# Log info messages to messages file
|
|
#
|
|
*.=info;\\
|
|
mail,news.none /var/log/messages
|
|
.fi
|
|
.LP
|
|
This statement causes the
|
|
.B syslogd
|
|
to log all messages that come with the
|
|
.B info
|
|
priority to the file
|
|
.IR /var/log/messages .
|
|
But any message coming either with the
|
|
.BR mail " or the " news
|
|
facility will not be stored.
|
|
|
|
.IP
|
|
.nf
|
|
# Emergency messages will be displayed using wall
|
|
#
|
|
*.=emerg *
|
|
.fi
|
|
.LP
|
|
This rule tells the
|
|
.B syslogd
|
|
to write all emergency messages to all currently logged in users. This
|
|
is the wall action.
|
|
|
|
.IP
|
|
.nf
|
|
# Messages of the priority alert will be directed
|
|
# to the operator
|
|
#
|
|
*.alert root,joey
|
|
.fi
|
|
.LP
|
|
This rule directs all messages of priority
|
|
.B alert
|
|
or higher to the terminals of the operator, i.e. of the users ``root''
|
|
and ``joey'' if they're logged in.
|
|
|
|
.IP
|
|
.nf
|
|
*.* @finlandia
|
|
.fi
|
|
.LP
|
|
This rule would redirect all messages to a remote host called
|
|
finlandia. This is useful especially in a cluster of machines where
|
|
all syslog messages will be stored on only one machine.
|
|
.SH CONFIGURATION FILE SYNTAX DIFFERENCES
|
|
.B Syslogd
|
|
uses a slightly different syntax for its configuration file than
|
|
the original BSD sources. Originally all messages of a specific priority
|
|
and above were forwarded to the log file. The modifiers ``='', ``!''
|
|
and ``-'' were added to make the
|
|
.B syslogd
|
|
more flexible and to use it in a more intuitive manner.
|
|
|
|
The original BSD syslogd doesn't understand spaces as separators between
|
|
the selector and the action field.
|
|
.SH FILES
|
|
.PD 0
|
|
.TP
|
|
.I /etc/syslog.conf
|
|
Configuration file for
|
|
.B syslogd
|
|
.SH BUGS
|
|
The effects of multiple selectors are sometimes not intuitive. For
|
|
example ``mail.crit,*.err'' will select ``mail'' facility messages at
|
|
the level of ``err'' or higher, not at the level of ``crit'' or
|
|
higher.
|
|
|
|
Also, if you specify a selector with an exclamation mark in it
|
|
which isn't preceded by a corresponding selector without an
|
|
exclamation mark, nothing will be logged. Intuitively, the
|
|
selector ``ftp.!alert'' on its own will select all ftp messages
|
|
with priorities less than alert. In fact it selects nothing.
|
|
Similarly ``ftp.!=alert'' might reasonably be expected to select
|
|
all ftp messages other than those with priority alert, but again
|
|
it selects nothing. It seems the selectors with exclamation
|
|
marks in them should only be used as `filters' following
|
|
selectors without exclamation marks.
|
|
|
|
Finally, using a backslash to divide a line into two doesn't
|
|
work if the backslash is used immediately after the end of the
|
|
selector, without intermediate whitespace.
|
|
|
|
.SH SEE ALSO
|
|
.BR sysklogd (8),
|
|
.BR klogd (8),
|
|
.BR logger (1),
|
|
.BR syslog (2),
|
|
.BR syslog (3).
|
|
.SH AUTHORS
|
|
The
|
|
.B syslogd
|
|
is taken from BSD sources, Greg Wettstein <greg@wind.enjellic.com>
|
|
performed the port to Linux, Martin Schulze <joey@infodrom.org>
|
|
fixed some bugs, added several new features and took over maintenance.
|