49968d977e
- We have the -a PEER and -s to limit exposure to remote attacks - Mention include file syntax in .conf file differences section - Mention SECURITY section in BUGS, there are countermeasures Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
620 lines
17 KiB
Groff
620 lines
17 KiB
Groff
.\" -*- nroff -*-
|
|
.\" Copyright 1994-1996 Dr. Greg Wettstein, Enjellic Systems Development.
|
|
.\" Copyright 1997-2008 Martin Schulze <joey@infodrom.org>
|
|
.\" Copyright 2018-2019 Joachim Nilsson <troglobit@gmail.com>
|
|
.\"
|
|
.\" May be distributed under the GNU General Public License
|
|
.\"
|
|
.Dd Oct 30, 2019
|
|
.Dt syslogd 8
|
|
.Os "sysklogd (2.0)"
|
|
.Sh NAME
|
|
.Nm syslogd
|
|
.Nd System Log Daemon
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl ?46AdFknsTv
|
|
.Op Fl a Ar addr[/len][:port]
|
|
.Op Fl a Ar name[:port]
|
|
.Op Fl b Ar addr[:port]
|
|
.Op Fl b Ar :port
|
|
.Op Fl f Ar file
|
|
.Op Fl m Ar sec
|
|
.Op Fl P Ar file
|
|
.Op Fl p Ar sock
|
|
.Op Fl r Ar size[:count]
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
support RFC3164 and RFC5424 style log messages for both local and remote
|
|
logging using Internet and UNIX domain sockets. Differences in style is
|
|
shown below. The optional companion daemon,
|
|
.Xr klogd 8 ,
|
|
can be used to trap kernel messages and interpret events like Oops. By
|
|
default
|
|
.Nm klogd
|
|
is not built and
|
|
.Nm
|
|
handles reading and logging of kernel messages.
|
|
.Pp
|
|
.Bl -tag -compact -width "RFC3164:"
|
|
.It RFC3164:
|
|
.Cm Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
|
|
.It RFC5424:
|
|
.Cm 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.
|
|
.El
|
|
.Pp
|
|
Note, for remote logging the messages are prefixed with
|
|
.Cm <PRI>
|
|
or
|
|
.Cm <PRI>1 ,
|
|
respectively.
|
|
.Pp
|
|
.Nm
|
|
is derived from BSD sources, today
|
|
.Fx
|
|
is the reference for
|
|
.Nm
|
|
and
|
|
.Nx
|
|
for the new
|
|
.Xr syslogp 3
|
|
API, which fully supports the new features of RFC5424. Please note; 1)
|
|
the intention is to follow standard BSD
|
|
.Nm
|
|
behavior, 2) despite having a stand-alone
|
|
.Xr syslog 3 ,
|
|
and
|
|
.Xr syslogp 3
|
|
API in
|
|
.Lb libsyslog ,
|
|
.Nm
|
|
interacts transparently with the standard C library
|
|
.Xr syslog 3
|
|
API, as implemented in GLIBC, musl libc, and uClibc.
|
|
.Pp
|
|
When
|
|
.Nm
|
|
starts up it reads its main configuration file
|
|
.Pa /etc/syslog.conf ,
|
|
or an alternate file given with the
|
|
.Fl f Ar file
|
|
option. For details on how to configure syslog priority
|
|
(facility.severity) filtering, see
|
|
.Xr syslog.conf 5 .
|
|
.Sh OPTIONS
|
|
.Bl -tag -width Ds
|
|
.It Fl 4
|
|
Force
|
|
.Nm
|
|
to use IPv4 addresses only.
|
|
.It Fl 6
|
|
Force
|
|
.Nm
|
|
to use IPv6 addresses only.
|
|
.It Fl A
|
|
Ordinarily,
|
|
.Nm
|
|
tries to send the message to only one address even if the host has
|
|
more than one A or AAAA record. If this option is specified,
|
|
.Nm
|
|
tries to send the message to all addresses.
|
|
.It Fl a Ar address[/len][:service] | Fl a Ar domainname[:service]
|
|
Allow peers to log to this syslogd using UDP datagrams. Multiple
|
|
.Fl a
|
|
options may be specified. Any
|
|
.Fl a
|
|
option is ignored if the
|
|
.Fl s
|
|
option is also specified.
|
|
.Pp
|
|
The peer argument may be any of the following:
|
|
.Bl -tag -width 'address[/len][:service]'
|
|
.It Ql address[/len][:service]
|
|
Accept datagrams from IP
|
|
.Ar address ,
|
|
which can be specified as an IPv4 address or as an IPv6 address enclosed
|
|
with
|
|
.Sq \&[
|
|
and
|
|
.Sq \&] .
|
|
If specified, service is the name or port number of an UDP service (see
|
|
.Xr services 5 )
|
|
the source packet must belong to. A service of
|
|
.Ql *
|
|
accepts UDP packets from any source port. The default service is
|
|
.Ql syslog .
|
|
If
|
|
.Ar address
|
|
is an IPv4 address, a missing prefix
|
|
.Ar len
|
|
will be substituted by the historic class A or class B netmasks if
|
|
.Ar address
|
|
belongs in the address range of class A or B, respectively, or by'
|
|
.Ar /24
|
|
otherwise. If
|
|
.Ar address
|
|
is an IPv6 address, a missing prefix
|
|
.Ar len
|
|
will be substituted by 128.
|
|
.It Ql domainname[:service]
|
|
Accept datagrams where the reverse address lookup yields
|
|
.Ar domainname
|
|
for the sender address. The meaning of
|
|
.Ar service
|
|
is as explained above.
|
|
.Ar domainname
|
|
can contain special characters of a shell-style pattern such as
|
|
.Ql * .
|
|
.El
|
|
.It Fl b Ar address[:service]
|
|
.It Fl b Ar :service
|
|
Bind to a specific address and/or port. The address can be specified as
|
|
a hostname, and the port as a service name. If an IPv6 address is
|
|
specified, it should be enclosed with
|
|
.Sq \&[
|
|
and
|
|
.Sq \&] .
|
|
The default service is
|
|
.Ql syslog
|
|
(514/udp). This option can be specified multiple times to bind to
|
|
multiple addresses and/or ports.
|
|
.It Fl d
|
|
Turns on debug mode. This implicitly enables
|
|
.Fl F
|
|
to prevent
|
|
.Nm
|
|
from backgrounding itself. Debug information is written to the current
|
|
TTY. SIGUSR1 is required to confirm continued debug messages when the
|
|
daemon has finished starting up. See the
|
|
.Sx DEBUGGING
|
|
section for more information.
|
|
.It Fl F
|
|
Run in foreground, required when run from a modern init/supervisor. See
|
|
your system
|
|
.Xr init 1
|
|
for details.
|
|
.It Fl f Ar file
|
|
Specify an alternative configuration file instead of the default
|
|
.Pa /etc/syslog.conf .
|
|
.It Fl k
|
|
Disable the translation of messages received with facility
|
|
.Ql kern
|
|
to
|
|
facility
|
|
.Ql user .
|
|
Usually the
|
|
.Ql kern
|
|
facility is reserved for kernel log messages. When the
|
|
.Nm klogd
|
|
daemon runs alongside
|
|
.Nm ,
|
|
this option is always set.
|
|
.It Fl m Ar seconds
|
|
.Nm
|
|
logs a mark timestamp regularly. The default interval between two
|
|
.Ql -- MARK --
|
|
lines is 20 minutes. This can be changed with this option. Setting
|
|
this to zero disables log marks entirely.
|
|
.Pp
|
|
Depending on other log messages generated these lines may not be written
|
|
consecutively. The
|
|
.Ql -- MARK --
|
|
message is only written if the log file hasn't been touched in
|
|
.Ar (seconds * 60) / 2
|
|
minutes.
|
|
.It Fl n
|
|
Disable DNS query for every request.
|
|
.It Fl P Ar file
|
|
Specify an alternate file in which to store the process ID.
|
|
The default is
|
|
.Pa /var/run/syslog.pid .
|
|
.It Fl p Ar socket
|
|
Specify an alternate UNIX domain socket instead of the default
|
|
.Pa /dev/log .
|
|
When a single
|
|
.Fl p
|
|
option is specified, the default pathname is replaced with the specified
|
|
one. When two or more
|
|
.Fl p
|
|
options are specified, the remaining pathnames are treated as additional
|
|
log sockets. This might be needed when running applications in
|
|
containers or a
|
|
.Xr chroot 8
|
|
environment.
|
|
.It Fl r Ar size[:count]
|
|
Enable built-in support for log rotation of files listed in
|
|
.Pa /etc/syslog.conf .
|
|
This feature is particulary useful for small and embedded systems that
|
|
do not want the overhead of
|
|
.Xr cron 8
|
|
and
|
|
.Xr logrotate 8 .
|
|
.Pp
|
|
The option controls the max size and number of backup files kept by the
|
|
built-in log-rotation. When present on the command line it activates
|
|
log rotation of all files with the given maximum size. It is also
|
|
possible to control log rotate per log file, see
|
|
.Xr syslog.conf 5
|
|
for details.
|
|
.Pp
|
|
The size argument takes optional modifiers; k, M, G. E.g., 100M is
|
|
100MB, 42k is 42 kB, etc.
|
|
.Pp
|
|
The optional number of files kept include both gzipped files and the
|
|
first rotated (not zipped) file. The default for this, when omitted,
|
|
is 5.
|
|
.It Fl s
|
|
Operate in secure mode. Do not log messages from remote machines. If
|
|
specified twice, no network socket will be opened at all, which also
|
|
disables logging to remote machines.
|
|
.It Fl T
|
|
Always use the local time and date for messages received from the
|
|
network, instead of the timestamp field supplied in the message by the
|
|
remote host. This is useful if some of the originating hosts cannot
|
|
keep time properly or are unable to generate a correct timestamp.
|
|
.It Fl v
|
|
Print
|
|
.Nm
|
|
version and exit.
|
|
.Sh CONFIGURATION FILE DIFFERENCES
|
|
.Nm
|
|
uses a slightly different syntax for its configuration file than the
|
|
original BSD sources.
|
|
.Pp
|
|
First, rules may now also have a third field
|
|
.Cm ;OPTION .
|
|
Several options are supported, comma separated, that control formatting
|
|
and log rotation, for more on this see
|
|
.Xr syslog.conf 5 .
|
|
.Pp
|
|
Second, other files may be included using a
|
|
.Xr glob 7
|
|
style syntax, e.g.
|
|
.Ql include /path/to/*.conf .
|
|
.Pp
|
|
Third, originally all messages of a specific priority and above were
|
|
forwarded to the log file. For example the following line send all
|
|
output from daemons using the daemon facilities (debug is the lowest
|
|
priority, so every higher will also match) to go into
|
|
.Pa /var/log/daemons :
|
|
.Bd -literal -offset indent
|
|
# Sample syslog.conf
|
|
daemon.debug /var/log/daemons
|
|
.Ed
|
|
.Pp
|
|
.Nm
|
|
still supports this, with the addition of four additional specifiers,
|
|
the asterisk ('*') wildcard, the equation sign ('='), the exclamation
|
|
mark ('!'), and the minus sign ('-').
|
|
.Pp
|
|
The '*' specifies that all messages for the specified facility are to be
|
|
directed to the destination. Note that this behavior is degenerate with
|
|
specifying a priority level of debug. Users have indicated that the
|
|
asterisk notation is more intuitive.
|
|
.Pp
|
|
The '=' restricts logging to the specified priority class. This allows,
|
|
for example, routing only debug messages to a particular logging source.
|
|
.Pp
|
|
For example, the following line in
|
|
.Pa /etc/syslog.conf
|
|
directs debug messages from all sources to the
|
|
.Pa /var/log/debug
|
|
file in RFC5424 format, with log rotation every 512 kiB, saving only 20
|
|
files in total (including the non-rotated file):
|
|
.Bd -literal -offset indent
|
|
# Sample syslog.conf
|
|
*.=debug -/var/log/debug ;RFC5424,rotate=512k:20
|
|
.Ed
|
|
.Pp
|
|
.\" The '!' as the first character of a priority inverts the above
|
|
.\" mentioned interpretation.
|
|
The '!' is used to exclude logging of the specified priorities. This
|
|
affects all (!) possibilities of specifying priorities.
|
|
.Pp
|
|
For example the following lines in
|
|
.Pa syslog.conf
|
|
log all messages of facility
|
|
.Ql mail
|
|
except those with priority
|
|
.Ql info
|
|
to the
|
|
.Pa /var/log/mail
|
|
file. All messages from
|
|
.Ql news.info
|
|
(including) to
|
|
.Ql news.crit
|
|
(excluding) are logged to the
|
|
.Pa /var/log/news
|
|
file.
|
|
.Bd -literal -offset indent
|
|
# Sample syslog.conf
|
|
mail.*;mail.!=info /var/log/mail
|
|
news.info;news.!crit /var/log/news
|
|
.Ed
|
|
.Pp
|
|
You may use it intuitively as an exception specifier. The above
|
|
mentioned interpretation is simply inverted. For example, to skip
|
|
every message with facility
|
|
.Ar mail :
|
|
.Bd -literal -offset indent
|
|
mail.none
|
|
.Ed
|
|
or
|
|
.Bd -literal -offset indent
|
|
mail.!*
|
|
.Ed
|
|
or
|
|
.Bd -literal -offset indent
|
|
mail.!debug
|
|
.Ed
|
|
.Pp
|
|
The '-' may only be used to prefix a filename if you want to omit
|
|
sync'ing the file after every write to it.
|
|
.Sh REMOTE LOGGING
|
|
.Nm
|
|
has network support enabled by default. Meaning, when it starts up it
|
|
opens a socket for sending to remote servers and also binds it to listen
|
|
for incoming syslog messages over UDP port 514. For this to work
|
|
correctly the
|
|
.Xr services 5
|
|
file (typically found in
|
|
.Pa /etc/services )
|
|
must have the following entry:
|
|
.Bd -literal -offset indent
|
|
syslog 514/udp
|
|
.Ed
|
|
.Pp
|
|
If this entry is missing
|
|
.Nm
|
|
by default disables networking completely. This can also be achieved
|
|
by the
|
|
.Fl s
|
|
flag. However,
|
|
.Nm
|
|
can listen to any port, named or by value. Use the
|
|
.Fl b Ar :5514
|
|
flag to bind a socket to (unprivileged) port 5514 instead.
|
|
.Pp
|
|
To forward messages to to a remote host, create a rule in
|
|
.Pa syslog.conf
|
|
with the name of the hostname to which the messages is to be sent
|
|
prepended with an at
|
|
.Sq ( @ )
|
|
sign. By default,
|
|
.Nm
|
|
sends messages to remote servers in the old-school
|
|
.Ql BSD
|
|
format, without timestamp and hostname. This is for compatibility
|
|
reasons. Append the
|
|
.Ql ;RFC5424
|
|
option to the rule to enable RFC5424 style formatting which includes
|
|
RFC3339 timestamp and hostname information.
|
|
.Pp
|
|
For example, to forward
|
|
.Sy ALL
|
|
messages to a remote host use the following
|
|
.Pa syslog.conf
|
|
entry:
|
|
.Bd -literal -offset indent
|
|
# Sample syslogd configuration file to forward all message
|
|
# messages to a remote host using RFC5424 style formatting
|
|
*.* @hostname ;RFC5424
|
|
.Ed
|
|
.Pp
|
|
To forward all
|
|
.Ql kernel
|
|
messages to a remote host (in old-school BSD formatting) the
|
|
configuration file would be as follows:
|
|
.Bd -literal -offset indent
|
|
# Sample configuration file to forward all kernel messages
|
|
# to a remote host.
|
|
kern.* @hostname
|
|
.Ed
|
|
.Pp
|
|
If the remote hostname cannot be resolved at startup, because the
|
|
name server might not yet be accessible (maybe started later in
|
|
the boot sequence),
|
|
.Nm
|
|
will retry resolving the name ten times before logging the error.
|
|
Another possibility to avoid this is to place the hostname in
|
|
.Pa /etc/hosts .
|
|
.Pp
|
|
If the remote host is located in the same domain as the host,
|
|
.Nm
|
|
is running on, only the simple hostname will be logged instead of the
|
|
whole FQDN.
|
|
.Sh NAMED PIPES
|
|
A FIFO, or named pipe, can be used as a destination for log messages by
|
|
prepending a pipy symbol ('|') to the name of the file. This is very
|
|
handy for debugging. Note, the FIFO must be created with the
|
|
.Xr mkfifo 1
|
|
command before
|
|
.Nm
|
|
is started.
|
|
.Pp
|
|
The following configuration file routes debug messages from the kernel
|
|
to a FIFO:
|
|
.Bd -literal -offset indent
|
|
# Sample configuration to route kernel debugging messages
|
|
# ONLY to /var/log/debug which is a named pipe.
|
|
kern.=debug |/var/log/debug
|
|
.Ed
|
|
.Sh SECURITY
|
|
There is the potential for
|
|
.Nm
|
|
to be used as a conduit for a denial of service attack. Thanks go to
|
|
.An John Morrison Aq Mt jmorriso@rflab.ee.ubc.ca
|
|
for alerting the project of this. A rogue program(mer) could very
|
|
easily flood
|
|
.Nm
|
|
with syslog messages resulting in the log files consuming all the
|
|
remaining space on the filesystem. Activating logging over network
|
|
domain sockets will of course expose a system to risks outside of
|
|
programs or individuals on the local machine.
|
|
.Pp
|
|
There are a number of methods of protecting a machine:
|
|
.Bl -enum
|
|
.It
|
|
Disabling inet domain sockets will limit risk to the local machine. Use
|
|
the secore mode flag
|
|
.Fl s
|
|
for this.
|
|
.It
|
|
Only allow certain remote peers using the
|
|
.Fl a Ar PEER
|
|
flag.
|
|
.It
|
|
Implement kernel firewalling to limit which hosts or networks have
|
|
access to the 514/UDP socket.
|
|
.It
|
|
Logging can be directed to an isolated or non-root filesystem which,
|
|
if filled, will not impair the machine.
|
|
.It
|
|
The ext2 filesystem can be used which can be configured to limit a
|
|
certain percentage of a filesystem to usage by root only.
|
|
.El
|
|
.Sh DEBUGGING
|
|
When debug mode (
|
|
.Fl d )
|
|
is enabled
|
|
.Nm
|
|
is very verbose, writing most of what it does on stdout. Whenever
|
|
the configuration file is reread and re-parsed you'll see a tabular,
|
|
corresponding to the internal data structure. This tabular consists of
|
|
four fields:
|
|
.Pp
|
|
.Bl -tag -width arguments
|
|
.It number
|
|
This field contains a serial number starting by zero. This number
|
|
represents the position in the internal data structure (i.e. the array).
|
|
If one number is left out then there might be an error in the
|
|
corresponding line in
|
|
.Pa /etc/syslog.conf .
|
|
.It pattern
|
|
This field is tricky and represents the internal structure exactly.
|
|
Every column stands for a facility, refer to
|
|
.Xr syslogp 3 .
|
|
As you can see, there are still some facilities left free for former
|
|
use, only the left most are used. Every field in a column represents
|
|
the priorities, refer to
|
|
.Xr syslogp 3 .
|
|
.It action
|
|
This field describes the particular action that takes place whenever a
|
|
message is received that matches the pattern. Refer to the
|
|
.Xr syslog.conf 5
|
|
manpage for all possible actions.
|
|
.It arguments
|
|
This field shows additional arguments to the actions in the last field.
|
|
For file-logging this is the filename for the logfile; for user-logging
|
|
this is a list of users; for remote logging this is the hostname of the
|
|
machine to log to; for console-logging this is the used console; for
|
|
tty-logging this is the specified tty; wall has no additional arguments.
|
|
.El
|
|
.Sh SIGNALS
|
|
.Nm
|
|
supports the following signals:
|
|
.Pp
|
|
.Bl -tag -width "TERM, QUIT"
|
|
.It HUP
|
|
This lets
|
|
.Nm
|
|
perform a re-initialization. All open files are closed, the
|
|
configuration file (see above) is reread and the
|
|
.Xr syslog 3
|
|
facility is started again.
|
|
.It TERM
|
|
This tells
|
|
.Nm
|
|
to exit gracefully. Flushing any log files to disk.
|
|
.It INT, QUIT
|
|
In debug mode these are ignored. In normal operation they act as
|
|
SIGTERM.
|
|
.It USR1
|
|
In debug mode this switches debugging on/off. In normal operation
|
|
it is ignored.
|
|
.El
|
|
.Pp
|
|
For convenience the PID is by default stored in
|
|
.Pa /var/run/syslogd.pid .
|
|
A script can look for the existance of this file to determine if
|
|
.Nm
|
|
is running, and then send signals:
|
|
.Bd -literal -offset indent
|
|
kill -SIGNAL `cat /var/run/syslogd.pid`
|
|
.Ed
|
|
.Sh FILES
|
|
.Bl -tag -width TERM
|
|
.It Pa /dev/log
|
|
The UNIX domain socket to from where local syslog messages are read.
|
|
.It Pa /proc/kmsg
|
|
The Linux kernel log file
|
|
.Nm
|
|
reads when built without the optional
|
|
.Nm klogd .
|
|
.It Pa /etc/syslog.conf
|
|
Configuration file for
|
|
.Nm .
|
|
See
|
|
.Xr syslog.conf 5
|
|
for more information.
|
|
.It Pa /etc/syslog.d/*.conf
|
|
Conventional sub-directory of
|
|
.Pa .conf
|
|
files read by
|
|
.Nm .
|
|
.It Pa /etc/syslog.d/50-default.conf
|
|
Conventional name for default rules.
|
|
.It Pa /var/run/syslogd.pid
|
|
The file containing the process id of
|
|
.Nm .
|
|
.El
|
|
.Sh BUGS
|
|
The ability to log messages received in UDP packets is equivalent to an
|
|
unauthenticated remote disk-filling service, and should probably be
|
|
disabled
|
|
.Fl ( s )
|
|
by default. (The shipped systemd unit file disables this by default.)
|
|
See also
|
|
.Sx SECURITY
|
|
for more information on this. A future version of
|
|
.Nm
|
|
may include support for TLS, RFC5425, which includes authentication of
|
|
both senders and receivers.
|
|
.Pp
|
|
As mentioned in the
|
|
.Sx DESCRIPTION ,
|
|
.Nm
|
|
transparently supports the standard C library
|
|
.Xr syslog 3
|
|
API. If a binary linked to the standard C libraries does not operate
|
|
correctly, this should be reported as a bug to this project. See below
|
|
for contact details.
|
|
.Sh SEE ALSO
|
|
.Xr syslog.conf 5 ,
|
|
.Xr klogd 8 ,
|
|
.Xr logger 1 ,
|
|
.Xr syslog 2 ,
|
|
.Xr syslogp 3 ,
|
|
.Xr services 5 ,
|
|
.Xr savelog 8 .
|
|
.Sh AUTHORS
|
|
The system log daemon
|
|
.Nm
|
|
is originally taken from BSD sources and later updated with new
|
|
funcitonality from
|
|
.Fx
|
|
and
|
|
.Nx .
|
|
.An -nosplit
|
|
.An Greg Wettstein Aq Mt greg@wind.enjellic.com
|
|
performed the initial port to Linux.
|
|
.An Martin Schulze Aq Mt joey@infodrom.org
|
|
fixed some bugs, added several new features and took over maintenance.
|
|
.An Joachim Nilsson Aq Mt troglobit@gmail.com
|
|
later picked up the aging
|
|
.Nm sysklogd
|
|
project and gave it a home at GitHub with new features imported from
|
|
.Fx
|
|
and
|
|
.Nx .
|