.\" -*- nroff -*- .\" Copyright 1994-1996 Dr. Greg Wettstein, Enjellic Systems Development. .\" Copyright 1997-2008 Martin Schulze .\" Copyright 2018-2019 Joachim Nilsson .\" .\" May be distributed under the GNU General Public License .\" .Dd Oct 30, 2019 .Dt syslogd 8 .Os "sysklogd (2.0)" .Sh NAME .Nm syslogd .Nd System Log Daemon .Sh SYNOPSIS .Nm .Op Fl ?46Adnsv .Op Fl a Ar addr[/len][:port] .Op Fl a Ar name[:port] .Op Fl b Ar addr[:port] .Op Fl b Ar :port .Op Fl f Ar file .Op Fl m Ar sec .Op Fl P Ar file .Op Fl p Ar sock .Op Fl r Ar size[:count] .Sh DESCRIPTION .Nm support RFC3164 and RFC5424 style log messages for both local and remote logging using Internet and UNIX domain sockets. Differences in style is shown below. The optional companion daemon, .Xr klogd 8 , can be used to trap kernel messages and interpret events like Oops. By default .Nm klogd is not built and .Nm handles reading and logging of kernel messages. .Pp .Bl -tag -compact -width "RFC3164:" .It RFC3164: .Cm Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here. .It RFC5424: .Cm 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here. .El .Pp Note, for remote logging the messages are prefixed with .Cm or .Cm 1 , respectively. .Pp .Nm is derived from BSD sources, today .Fx is the reference for .Nm and .Nx for the new .Xr syslogp 3 API, which fully supports the new features of RFC5424. Please note; 1) the intention is to follow standard BSD .Nm behavior, 2) despite having a stand-alone .Xr syslog 3 , and .Xr syslogp 3 API in .Lb libsyslog , this version of .Nm interacts transparently with the standard C library .Xr syslog 3 API, as implemented in GLIBC, musl libc, and uClibc. .Pp When .Nm starts up it reads its main configuration file .Pa /etc/syslog.conf , or an alternate file given with the .Fl f Ar file option. For details on how to configure syslog priority (facility.severity) filtering, see .Xr syslog.conf 5 . .Sh OPTIONS .Bl -tag -width Ds .It Fl 4 Force .Nm to use IPv4 addresses only. .It Fl 6 Force .Nm to use IPv6 addresses only. .It Fl A Ordinarily, .Nm tries to send the message to only one address even if the host has more than one A or AAAA record. If this option is specified, .Nm tries to send the message to all addresses. .It Fl a Ar address[/len][:service] | Fl a Ar domainname[:service] Allow peers to log to this syslogd using UDP datagrams. Multiple .Fl a options may be specified. Any .Fl a option is ignored if the .Fl s option is also specified. .Pp The peer argument may be any of the following: .Bl -tag -width 'address[/len][:service]' .It Ql address[/len][:service] Accept datagrams from IP .Ar address , which can be specified as an IPv4 address or as an IPv6 address enclosed with .Sq \&[ and .Sq \&] . If specified, service is the name or port number of an UDP service (see .Xr services 5 ) the source packet must belong to. A service of .Ql * accepts UDP packets from any source port. The default service is .Ql syslog . If .Ar address is an IPv4 address, a missing prefix .Ar len will be substituted by the historic class A or class B netmasks if .Ar address belongs in the address range of class A or B, respectively, or by' .Ar /24 otherwise. If .Ar address is an IPv6 address, a missing prefix .Ar len will be substituted by 128. .It Ql domainname[:service] Accept datagrams where the reverse address lookup yields .Ar domainname for the sender address. The meaning of .Ar service is as explained above. .Ar domainname can contain special characters of a shell-style pattern such as .Ql * . .El .It Fl b Ar address[:service] .It Fl b Ar :service Bind to a specific address and/or port. The address can be specified as a hostname, and the port as a service name. If an IPv6 address is specified, it should be enclosed with .Sq \&[ and .Sq \&] . The default service is .Ql syslog (514/udp). This option can be specified multiple times to bind to multiple addresses and/or ports. .It Fl d Turns on debug mode. This implicitly enables .Fl n to prevent .Nm from backgrounding itself. Debug information is written to the current TTY. SIGUSR1 is required to confirm continued debug messages when the daemon has finished starting up. See the .Sx DEBUGGING section for more information. .It Fl f Ar file Specify an alternative configuration file instead of the default .Pa /etc/syslog.conf . .It Fl m Ar seconds .Nm logs a mark timestamp regularly. The default interval between two .Ql -- MARK -- lines is 20 minutes. This can be changed with this option. Setting this to zero disables log marks entirely. .Pp Depending on other log messages generated these lines may not be written consecutively. The .Ql -- MARK -- message is only written if the log file hasn't been touched in .Ar (seconds * 60) / 2 minutes. .It Fl n Run in foreground, required when run from a modern init/supervisor. See your system .Xr init 1 for details. .It Fl P Ar file Specify an alternate file in which to store the process ID. The default is .Pa /var/run/syslog.pid . .It Fl p Ar socket Specify an alternate UNIX domain socket instead of the default .Pa /dev/log . When a single .Fl p option is specified, the default pathname is replaced with the specified one. When two or more .Fl p options are specified, the remaining pathnames are treated as additional log sockets. This might be needed when running applications in containers or a .Xr chroot 8 environment. .It Fl r Ar size[:count] Enable built-in support for log rotation of files listed in .Pa /etc/syslog.conf . This feature is particulary useful for small and embedded systems that do not want the overhead of .Xr cron 8 and .Xr logrotate 8 . .Pp The option controls the max size and number of backup files kept by the built-in log-rotation. When present on the command line it activates log rotation of all files with the given maximum size. It is also possible to control log rotate per log file, see .Xr syslog.conf 5 for details. .Pp The size argument takes optional modifiers; k, M, G. E.g., 100M is 100MB, 42k is 42 kB, etc. .Pp The optional number of files kept include both gzipped files and the first rotated (not zipped) file. The default for this, when omitted, is 5. .It Fl s Operate in secure mode. Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines. .It Fl v Print .Nm version and exit. .Sh CONFIGURATION FILE SYNTAX DIFFERENCES .Nm uses a slightly different syntax for its configuration file than the original BSD sources. First, rules may now also have a third field .Cm ;OPTION . Several options are supported, comma separated, that control formatting and log rotation, for more on this see .Xr syslog.conf 5 . Second, originally all messages of a specific priority and above were forwarded to the log file. .Pp For example the following line send all output from daemons using the daemon facilities (debug is the lowest priority, so every higher will also match) to go into .Pa /var/log/daemons : .Bd -literal -offset indent # Sample syslog.conf daemon.debug /var/log/daemons .Ed .Pp With .Nm this behavior remains the same. The difference is the addition of four additional specifiers, the asterisk ('*') wildcard, the equation sign ('='), the exclamation mark ('!'), and the minus sign ('-'). .Pp The '*' specifies that all messages for the specified facility are to be directed to the destination. Note that this behavior is degenerate with specifying a priority level of debug. Users have indicated that the asterisk notation is more intuitive. .Pp The '=' wildcard is used to restrict logging to the specified priority class. This allows, for example, routing only debug messages to a particular logging source. .Pp For example, the following line in .Pa /etc/syslog.conf directs debug messages from all sources to the .Pa /var/log/debug file in RFC5424 format, with log rotation every 512 kiB, saving only 20 files in total (including the non-rotated file): .Bd -literal -offset indent # Sample syslog.conf *.=debug -/var/log/debug ;RFC5424,rotate=512k:20 .Ed .Pp .\" The '!' as the first character of a priority inverts the above .\" mentioned interpretation. The '!' is used to exclude logging of the specified priorities. This affects all (!) possibilities of specifying priorities. .Pp For example the following lines in .Pa syslog.conf log all messages of facility .Ql mail except those with priority .Ql info to the .Pa /var/log/mail file. All messages from .Ql news.info (including) to .Ql news.crit (excluding) are logged to the .Pa /var/log/news file. .Bd -literal -offset indent # Sample syslog.conf mail.*;mail.!=info /var/log/mail news.info;news.!crit /var/log/news .Ed .Pp You may use it intuitively as an exception specifier. The above mentioned interpretation is simply inverted. For example, to skip every message with facility .Ar mail : .Bd -literal -offset indent mail.none .Ed or .Bd -literal -offset indent mail.!* .Ed or .Bd -literal -offset indent mail.!debug .Ed .Pp The '-' may only be used to prefix a filename if you want to omit sync'ing the file after every write to it. .Sh REMOTE LOGGING .Nm has network support enabled by default. Meaning, when it starts up it opens a socket for sending to remote servers and also binds it to listen for incoming syslog messages over UDP port 514. For this to work correctly the .Xr services 5 file (typically found in .Pa /etc/services ) must have the following entry: .Bd -literal -offset indent syslog 514/udp .Ed .Pp If this entry is missing .Nm by default disables networking completely. This can also be achieved by the .Fl s flag. However, .Nm can listen to any port, named or by value. Use the .Fl b Ar :5514 flag to bind a socket to (unprivileged) port 5514 instead. .Pp To forward messages to to a remote host, create a rule in .Pa syslog.conf with the name of the hostname to which the messages is to be sent prepended with an at .Sq ( @ ) sign. By default, .Nm sends messages to remote servers in the old-school .Ql BSD format, without timestamp and hostname. This is for compatibility reasons. Append the .Ql ;RFC5424 option to the rule to enable RFC5424 style formatting which includes RFC3339 timestamp and hostname information. .Pp For example, to forward .Sy ALL messages to a remote host use the following .Pa syslog.conf entry: .Bd -literal -offset indent # Sample syslogd configuration file to forward all message # messages to a remote host using RFC5424 style formatting *.* @hostname ;RFC5424 .Ed .Pp To forward all .Ql kernel messages to a remote host (in old-school BSD formatting) the configuration file would be as follows: .Bd -literal -offset indent # Sample configuration file to forward all kernel messages # to a remote host. kern.* @hostname .Ed .Pp If the remote hostname cannot be resolved at startup, because the name server might not yet be accessible (maybe started later in the boot sequence), .Nm will retry resolving the name ten times before logging the error. Another possibility to avoid this is to place the hostname in .Pa /etc/hosts . .Pp If the remote host is located in the same domain as the host, .Nm is running on, only the simple hostname will be logged instead of the whole FQDN. .Sh NAMED PIPES A FIFO, or named pipe, can be used as a destination for log messages by prepending a pipy symbol ('|') to the name of the file. This is very handy for debugging. Note, the FIFO must be created with the .Xr mkfifo 1 command before .Nm is started. .Pp The following configuration file routes debug messages from the kernel to a FIFO: .Bd -literal -offset indent # Sample configuration to route kernel debugging messages # ONLY to /var/log/debug which is a named pipe. kern.=debug |/var/log/debug .Ed .Sh SECURITY There is the potential for .Nm to be used as a conduit for a denial of service attack. Thanks go to .An John Morrison Aq Mt jmorriso@rflab.ee.ubc.ca for alerting the project of this. A rogue program(mer) could very easily flood .Nm with syslog messages resulting in the log files consuming all the remaining space on the filesystem. Activating logging over network domain sockets will of course expose a system to risks outside of programs or individuals on the local machine. .Pp There are a number of methods of protecting a machine: .Bl -enum .It Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket. .It Logging can be directed to an isolated or non-root filesystem which, if filled, will not impair the machine. .It The ext2 filesystem can be used which can be configured to limit a certain percentage of a filesystem to usage by root only. .Sy NOTE: this requires .Nm to be run as a non-root process. Also, this prevents usage of remote logging since .Nm will be unable to bind to the 514/UDP socket. .It Disabling inet domain sockets will limit risk to the local machine. .El .Sh DEBUGGING When debug mode ( .Fl d ) is enabled .Nm is very verbose, writing most of what it does on stdout. Whenever the configuration file is reread and re-parsed you'll see a tabular, corresponding to the internal data structure. This tabular consists of four fields: .Pp .Bl -tag -width arguments .It number This field contains a serial number starting by zero. This number represents the position in the internal data structure (i.e. the array). If one number is left out then there might be an error in the corresponding line in .Pa /etc/syslog.conf . .It pattern This field is tricky and represents the internal structure exactly. Every column stands for a facility, refer to .Xr syslogp 3 . As you can see, there are still some facilities left free for former use, only the left most are used. Every field in a column represents the priorities, refer to .Xr syslogp 3 . .It action This field describes the particular action that takes place whenever a message is received that matches the pattern. Refer to the .Xr syslog.conf 5 manpage for all possible actions. .It arguments This field shows additional arguments to the actions in the last field. For file-logging this is the filename for the logfile; for user-logging this is a list of users; for remote logging this is the hostname of the machine to log to; for console-logging this is the used console; for tty-logging this is the specified tty; wall has no additional arguments. .El .Sh SIGNALS .Nm supports the following signals: .Pp .Bl -tag -width "TERM, QUIT" .It HUP This lets .Nm perform a re-initialization. All open files are closed, the configuration file (see above) is reread and the .Xr syslog 3 facility is started again. .It TERM This tells .Nm to exit gracefully. Flushing any log files to disk. .It INT, QUIT In debug mode these are ignored. In normal operation they act as SIGTERM. .It USR1 In debug mode this switches debugging on/off. In normal operation it is ignored. .El .Pp For convenience the PID is by default stored in .Pa /var/run/syslogd.pid . A script can look for the existance of this file to determine if .Nm is running, and then send signals: .Bd -literal -offset indent kill -SIGNAL `cat /var/run/syslogd.pid` .Ed .Sh FILES .Bl -tag -width TERM .It Pa /dev/log The UNIX domain socket to from where local syslog messages are read. .It Pa /proc/kmsg The Linux kernel log file .Nm reads when built without the optional .Nm klogd . .It Pa /etc/syslog.conf Configuration file for .Nm . See .Xr syslog.conf 5 for more information. .It Pa /etc/syslog.d/*.conf Conventional sub-directory of .Pa .conf files read by .Nm . .It Pa /etc/syslog.d/50-default.conf Conventional name for default rules. .It Pa /var/run/syslogd.pid The file containing the process id of .Nm . .El .Sh BUGS The ability to log messages received in UDP packets is equivalent to an unauthenticated remote disk-filling service, and should probably be disabled .Fl ( s ) by default. (The shipped systemd unit file disables this by default.) A future version of .Nm may include support for TLS, RFC5425, which includes authentication of both senders and receivers. .Pp As mentioned in the .Sx DESCRIPTION , .Nm transparently supports the standard C library .Xr syslog 3 API. If a binary linked to the standard C libraries does not operate correctly, this should be reported as a bug to this project. See below for contact details. .Pp .Nm doesn't change the file mode of opened log files at any stage. If a file is created it is world readable. If you want to avoid this, you have to create it and change permissions on your own. This could be done in combination with rotating logfiles using the .Xr savelog 8 program that is shipped in the .Nm smail 3.x distribution. Remember that it might be a security hole if everybody is able to read .Ql auth.* messages as these might contain passwords. .Sh SEE ALSO .Xr syslog.conf 5 , .Xr klogd 8 , .Xr logger 1 , .Xr syslog 2 , .Xr syslogp 3 , .Xr services 5 , .Xr savelog 8 . .Sh AUTHORS The system log daemon .Nm is originally taken from BSD sources and later updated with new funcitonality from .Fx and .Nx . .An -nosplit .An Greg Wettstein Aq Mt greg@wind.enjellic.com performed the initial port to Linux. .An Martin Schulze Aq Mt joey@infodrom.org fixed some bugs, added several new features and took over maintenance. .An Joachim Nilsson Aq Mt troglobit@gmail.com later picked up the aging .Nm sysklogd project and gave it a home at GitHub with new features imported from .Fx and .Nx .