sysklogd/man/syslog.conf.5
2021-12-21 16:32:20 +01:00

573 lines
20 KiB
Groff

.\" -*- nroff -*-
.\" Copyright (c) 1990, 1991, 1993
.\" The Regents of the University of California.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
.\" $FreeBSD$
.\"
.Dd February 21, 2021
.Dt SYSLOG.CONF 5
.Os sysklogd
.Sh NAME
.Nm syslog.conf
.Nd configuration file format for
.Xr syslogd 8
.Sh DESCRIPTION
The
.Nm
file is the configuration file for the
.Xr syslogd 8
program. It consists of lines of rules for logging, with each line
containing at least two fields: the
.Em selector
field which specifies the types of messages and priorities to which the
line applies, and an
.Em action
field which specifies the action to be taken if a message
.Xr syslogd 8
receives matches the selection criteria. A rule may also have an
.Em option
field for a setting that applies only to that rule.
.Pp
The fields are separated by one or more tab characters or spaces. A
rule may be divided into several lines if the leading line ends with a
single backslash ('\\') character.
.Pp
.Bd -literal -offset indent
RULE := SELECTOR ACTION [;OPTION]
SELECTOR := [SELECTOR;]facility[,facility].[!=]severity
ACTION := /path/to/file
|= |/path/to/named/pipe
|= @remote[.host.tld][:PORT]
OPTION := [OPTION,]
|= RFC3164
|= RFC5424
|= rotate=SIZE:COUNT
.Ed
.Pp
The
.Em selector
field specifies a pattern of facilities and priorities belonging to the
specified action. The
.Em action
details where or what to do with the selected input. The
.Em option
field, which must start with the semi-colon option delimiter (';'),
currently supports log formatting and log rotation. The default log
format is the traditional RFC3164 (included here for completeness),
.Sy except
for remote syslog targets where the BSD format (without both timestamp
and hostname) is the default. The user must explicitly set RFC3164 on
a remote logging target. RFC5424 is the newest format with RFC3339 time
stamps, msgid, structured data, and more. The BSD format cannot be set,
it is only the default for remote targets for compatibility reasons.
.Pp
.Bl -tag -compact -width "RFC3164:"
.It Sy BSD:
.Li myproc[8710]: Kilroy was here.
.It Sy RFC3164:
.Li Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
.It Sy RFC5424:
.Li 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.
.El
.Pp
The log rotation, which is only relevant for files, details the max
.Ar SIZE:COUNT
a file can reach before it is rotated, and later compressed. This
feature is mostly intended for embedded systems that do not want to have
cron or a separate log rotate daemon.
.Pp
Comments, lines starting with a hash mark ('#'), and empty lines are
ignored. If an error occurs during parsing the whole line is ignored.
.Pp
A special
.Em include
keyword can be used to include all files with names ending in '.conf'
and not beginning with a '.' contained in the directory following the
keyword. This keyword can only be used in the first level configuration
file. The included example
.Pa /etc/syslog.conf
has the following at the end:
.Bd -literal -offset indent
#
# Drop your subsystem .conf file in /etc/syslog.d/
#
include /etc/syslog.d/*.conf
.Ed
.Pp
Note that if you use spaces as separators, your
.Nm
might be incompatible with other Unices or Unix-like systems.
This functionality was added for ease of configuration
(e.g.\& it is possible to cut-and-paste into
.Nm ) ,
and to avoid possible mistakes.
This change however preserves
backwards compatibility with the old style of
.Nm
(i.e., tab characters only).
.Sh SELECTORS
The selector field consists of two parts, a
.Em facility
and a
.Em priority ,
separated by a period ('.'). Both parts are case insensitive and can
also be specified as decimal numbers corresponding to the definitions in
.Pa /usr/include/syslog.h .
It is safer to use symbolic names rather than decimal numbers. Both
facilities and priorities are described in
.Xr syslogp 3 .
The names mentioned below correspond to the similar
.Ql LOG_FOO
values in
.Pa /usr/include/syslog.h .
.Pp
The
.Em facility
is one of the following keywords:
.Bl -column "Code" "Facility" "Description" -offset indent
.It Sy "Code" Ta Sy "Facility" Ta Sy "Description"
.It 0 Ta kern Ta Kernel log messages
.It 1 Ta user Ta User-level messages
.It 2 Ta mail Ta Mail system
.It 3 Ta daemon Ta General system daemons
.It 4 Ta auth Ta Security/authorization messages
.It 5 Ta syslog Ta Messages generated by syslogd
.It 6 Ta lpr Ta Line printer subsystem
.It 7 Ta news Ta Network news subsystem
.It 8 Ta uucp Ta UNIX-to-UNIX copy
.It 9 Ta cron Ta Clock/cron daemon (BSD, Linux)
.It 10 Ta authpriv Ta Security/authorization messages (private)
.It 11 Ta ftp Ta FTP daemon
.It 12 Ta ntp Ta NTP subsystem
.It 13 Ta security Ta Log audit
.It 14 Ta console Ta Log alert
.It 15 Ta unused Ta Clock/cron daemon (Solaris)
.It 16 Ta local0 Ta Reserved for local/system use
.It 17 Ta local1 Ta Reserved for local/system use
.It 18 Ta local2 Ta Reserved for local/system use
.It 19 Ta local3 Ta Reserved for local/system use
.It 20 Ta local4 Ta Reserved for local/system use
.It 21 Ta local5 Ta Reserved for local/system use
.It 22 Ta local6 Ta Reserved for local/system use
.It 23 Ta local7 Ta Reserved for local/system use
.El
.Pp
Notice, several of the above listed facilities are not supported by the
standard C library (GLIBC, musl libc, or uClibc) on Linux. libsyslog,
shipped with
.Nm sysklogd ,
however, supports all the above facilities in full. Also, the keyword
.Ql mark
is only for internal use and should therefore not be used in
applications. The
.Em facility
specifies the subsystem that produced the message, e.g. all mail
programs log with the mail facility,
.Ql LOG_MAIL ,
if they log using syslog.
.Pp
In most cases anyone can log to any facility, so we rely on convention
for the correct facility to be chosen. However, generally only the
kernel can log to the
.Ql kern
facility. This because the implementation of
.Xr openlog 3
and
.Xr syslog 3
in GLIBC does not allow logging to the
.Ql kern
facility.
.Pp
The
.Em priority
is one of the following keywords, in ascending order:
.Bl -column "Code" "Facility" "Description" -offset indent
.It Sy "Value" Ta Sy "Severity" Ta Sy "Description"
.It 0 Ta emergency Ta System is unusable
.It 1 Ta alert Ta Action must be taken immediately
.It 2 Ta critical Ta Critical conditions
.It 3 Ta error Ta Error conditions
.It 4 Ta warning Ta Warning conditions
.It 5 Ta notice Ta Normal but significant conditions
.It 6 Ta info Ta Informational messages
.It 7 Ta debug Ta Debug-level messages
.El
.Pp
The default log level of most applications is
.Ql notice ,
meaning only
.Ql notice
and above are forwarded to
.Nm syslogd .
See
.Xr setlogmask 3
for more information on how to change the default log level of your
application.
.Pp
In addition to the above mentioned facility and priority names,
.Xr syslogd 8
understands the following extensions:
.Pp
.Bl -tag -compact -width "'none'"
.It *
An asterisk ('*') matches all facilities or all priorities, depending on
where it is used (before or after the period).
.It none
The keyword
.Ql none
stands for no priority of the given facility.
.It ,
Multiple facilities may be specified for a single priority pattern in
one statement using the comma (',') operator to separate the facilities.
You may specify as many facilities as you want. Please note that only
the facility part from such a statement is taken, a priority part would
be ignored.
.It ;
Multiple selectors may be specified for a single
.Em action
using the semicolon (';') separator. Selectors are processed from left
to right, with each selector being able to overwrite preceding ones.
Using this behavior you are able to exclude some priorities from the
pattern.
.It =
This version of
.Xr syslogd 8
has a syntax extension to the original BSD source, which makes its use
more intuitive. You may precede every priority with an equation sign
('=') to specify that only this single priority should be matched,
instead of the default: this priority and all higher priorities.
.It !
You may also precede the priority with an exclamation mark ('!') if you
want to ignore this priority and all higher priorities. You may even
use both the exclamation mark and the equation sign if you want to
ignore a single priority. If both extensions are used, the exclamation
mark must occur before the equation sign.
.El
.Sh ACTIONS
The action field of a rule is the destination or target for a match. It
can be a file, a UNIX named pipe, the console, or a remote machine.
.Ss Regular File
Typically messages are logged to real files. The filename is specified
with an absolute path name.
.Pp
You may prefix each entry with a minus sign ('-') to avoid syncing the
file after each log message. Note that you might lose information if
the system crashes right after a write attempt. Nevertheless this might
give you back some performance, especially if you run programs that use
logging in a very verbose manner.
.Ss Named Pipes
This version of
.Xr syslogd 8
supports logging to named pipes (FIFOs). A FIFO, or named pipe, can be
used as a destination for log messages by prepending a pipe symbol ('|')
to the name of the file. This can be very handy for debugging. Note
that the FIFO must be created with the
.Xr mkfifo 1
command before
.Nm syslogd
is started.
.Ss Terminal and Console
If the file you specified is a tty, special tty-handling is done, same
with
.Pa /dev/console .
.Ss Remote Machine
Full remote logging support is available in
.Nm syslogd ,
i.e. to send messages to a remote syslog server, and and to receive
messages from remote hosts. To forward messages to another host,
prepend the hostname with the at sign ('@'). If a port number is added
after a colon (':') then that port will be used as the destination port
rather than the usual syslog port.
.Pp
This feature makes it possible to collect all syslog messages in a
network on a central host. This reduces administration needs and
can be really helpful when debugging distributed systems.
.Pp
Using a named pipe log method, messages from remote hosts can be sent to
a log program. By reading log messages line by line such a program is
able to sort log messages by host name or program name on the central
log host. This way it is possible to split the log into separate files.
.Pp
By default messages to remote remote hosts were formatted in the original
BSD style, without timestamp or hostname. As of
.Nm syslogd
v2.0 the default includes timestamp and hostname. It is also possible to
enable the new RFC5424 style formatting, append ';RFC5424' after the
hostname.
.Ss List of Users
Usually critical messages are also directed to
.Ql root
on that machine. You can specify a list of users that ought to receive
the log message on their terminal by writing their usernames. You may
specify more than one user by separating the usernames with commas
(','). Only logged in users will receive the log messages.
.Ss Everyone logged on
Emergency messages often go to all users currently online to notify them
that something strange is happening with the system. To specify this
.Xr wall 1
feature use an asterisk ('*').
.Sh IMPLEMENTATION NOTES
The
.Dq kern
facility is usually reserved for messages
generated by the local kernel.
Other messages logged with facility
.Dq kern
are usually translated to facility
.Dq user .
This translation can be disabled;
see
.Xr syslogd 8
for details.
.Sh FILES
.Bl -tag -width /etc/syslog.d/*.conf -compact
.It Pa /etc/syslog.conf
.Xr syslogd 8
configuration file
.It /etc/syslog.d/*.conf
Recommended directory for .conf snippets
.El
.Sh EXAMPLES
This section lists some examples, partially from actual site setups.
.Ss Catch Everything
This example matches all facilities and priorities and stores everything
in the file
.Pa /var/log/syslog
in RFC5424 format. Every time the file reaches 10 MiB it is rotated and
five files in total are kept, including the non-rotated file.
.Bd -literal -offset indent
# Match all log messages, store in RC5424 format and rotate every 10 MiB
#
*.* /var/log/critical ;rotate=10M:5,RFC5424
.Ed
.Ss Critical
This stores all messages of priority
.Ql crit
in the file
.Pa /var/log/critical ,
with the exception of any kernel messages.
.Bd -literal -offset indent
# Store critical stuff in critical
#
*.=crit;kern.none /var/log/critical
.Ed
.Ss Kernel
This is an example of the 2nd selector overwriting part of the first
one. The first selector selects kernel messages of priority
.Ql info
and higher. The second selector filters out kernel messages of priority
.Ql error
and higher. This leaves just priorities
.Ql info ,
.Ql notice ,
and
.Ql warning
to get logged.
.Bd -literal -offset indent
# Kernel messages are stored in the kernel file, critical messages and
# higher ones also go to another host and to the console
#
kern.* /var/log/kernel
kern.crit @arpa.berkeley.edu ;RFC5424
kern.crit /dev/console
kern.info;kern.!err /var/log/kernel.info
.Ed
.Pp
The first rule directs any message that has the kernel facility to the
file
.Pa /var/log/kernel .
Recall that only the kernel itself can log to this facility.
.Pp
The second statement directs all kernel messages of priority
.Ql crit
and higher to the remote host
.Ql arpa.berkeley.edu
in RFC5424 style formatting. This is useful, because if the host
crashes and the disks get irreparable errors you might not be able to
read the stored messages. If they're on a remote host, too, you still
can try to find out the reason for the crash.
.Pp
The third rule directs kernel messages of priority
.Ql crit
and higher to the actual console, so the person who works on the machine
will get them, too.
.Pp
The fourth line tells
.Nm syslogd
to save all kernel messages that come with priorities from
.Ql info
up to
.Ql warning
in the file
.Pa /var/log/kernel.info .
.Ss Redirecting to a TTY
This directs all messages that use
.Ql mail.info
(in source
.Ql LOG_MAIL | LOG_INFO )
to
.Pa /dev/tty12 ,
the 12th console. For example the tcpwrapper
.Xr tcpd 8
uses this as its default.
.Bd -literal -offset indent
# The tcp wrapper logs with mail.info, we display
# all the connections on tty12
#
mail.=info /dev/tty12
.Ed
.Ss Redirecting to a file
This pattern matches all messages that come with the
.Ql mail
facility, except for the
.Ql info
priority. These will be stored in the file
.Pa /var/log/mail .
.Bd -literal -offset indent
# Write all mail related logs to a file
#
mail.*;mail.!=info /var/log/mail
.Ed
.Ss Single Priority from Two Facilities
This will extract all messages that come either with
.Ql mail.info
or with
.Ql news.info
and store them in the file
.Pa /var/log/info .
.Bd -literal -offset indent
# Log all mail.info and news.info messages to info
#
mail,news.=info /var/log/info
.Ed
.Ss Advanced Filtering, part 1
This logs all messages that come with either the
.Ql info
or the
.Ql notice
priority into the file
.Pa /var/log/messages ,
except for all messages that use the
.Ql mail
facility.
.Bd -literal -offset indent
# Log info and notice messages to messages file
#
*.=info;*.=notice;\\
mail.none /var/log/messages
.Ed
.Ss Advanced Filtering, part 2
This statement logs all messages that come with the
.Ql info
priority to the file
.Pa /var/log/messages .
But any message with either
.Ql mail
or the
.Ql news
facility are not logged.
.Bd -literal -offset indent
# Log info messages to messages file
#
*.=info;\\
mail,news.none /var/log/messages
.Ed
.Ss Wall Messages
This rule tells
.Nm syslogd
to write all emergency messages to all currently logged in users. This
is the wall action.
.Bd -literal -offset indent
# Emergency messages will be displayed using wall
#
*.=emerg *
.Ed
.Ss Alerting Users
This rule directs all messages of priority
.Ql alert
or higher to the terminals of the operator, i.e. of the users 'root'
and 'eric', if they're logged in.
.Bd -literal -offset indent
# Any logged in root user and Eric get alert and higher messages.
#
*.alert root,eric
.Ed
.Ss Log Rotation
This example logs all messages except kernel messages to the file
.Pa /var/log/messages
without syncing ('-') the file after each log message. When the file
reaches 100 kiB it is rotated. In total are only 10 rotated files,
including the main file itself and compressed files kept. The size
argument takes the same modifiers as the
.Xr syslogd 8
command line option,
.Fl r .
.Bd -literal -offset indent
# Log all messages, including kernel, to the messages file rotate it
# every 100 kiB and keep up to 10 aged out, and compressed, files.
#
*.*;kern.none -/var/log/messages ;rotate=100k:10
.Ed
.Ss Logging to Remote Syslog Server
This rule redirects all messages to one remote host called
.Ql finlandia ,
with RFC5424 style formatting, and another remote host called
.Ql sibelius ,
but on a non-standard port and with RFC3164 formatting (i.e.,
including timestamp and hostname).
.Bd -literal -offset indent
*.* @finlandia ;RFC5424
*.* @sibelius:5514 ;RFC3164
.Ed
.Sh SEE ALSO
.Xr syslog 3 ,
.Xr syslogd 8
.Sh BUGS
The effects of multiple
.Em selectors
are sometimes not intuitive.
For example
.Dq mail.crit,*.err
will select
.Dq mail
facility messages at the level of
.Dq err
or higher, not at the level of
.Dq crit
or higher.
.Pp
In networked environments, note that not all operating systems
implement the same set of facilities.
The facilities
authpriv, cron, ftp, and ntp that are known to this implementation
might be absent on the target system.
Even worse, DEC UNIX uses
facility number 10 (which is authpriv in this implementation) to
log events for their AdvFS file system.