emo/sysklogd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b7d4225ef1
sysklogd/man/syslogd.8
Joachim Nilsson 49968d977e syslogd.8: Update section on SECURITY and .conf differences 
- We have the -a PEER and -s to limit exposure to remote attacks
- Mention include file syntax in .conf file differences section
- Mention SECURITY section in BUGS, there are countermeasures

Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
2019-11-15 09:44:15 +01:00

620 lines
17 KiB
Groff
Raw Blame History

.\" -*- nroff -*-
.\" Copyright 1994-1996 Dr. Greg Wettstein, Enjellic Systems Development.
.\" Copyright 1997-2008 Martin Schulze <joey@infodrom.org>
.\" Copyright 2018-2019 Joachim Nilsson <troglobit@gmail.com>
.\"
.\" May be distributed under the GNU General Public License
.\"
.Dd Oct 30, 2019
.Dt syslogd 8
.Os "sysklogd (2.0)"
.Sh NAME
.Nm syslogd
.Nd System Log Daemon
.Sh SYNOPSIS
.Nm
.Op Fl ?46AdFknsTv
.Op Fl a Ar addr[/len][:port]
.Op Fl a Ar name[:port]
.Op Fl b Ar addr[:port]
.Op Fl b Ar :port
.Op Fl f Ar file
.Op Fl m Ar sec
.Op Fl P Ar file
.Op Fl p Ar sock
.Op Fl r Ar size[:count]
.Sh DESCRIPTION
.Nm
support RFC3164 and RFC5424 style log messages for both local and remote
logging using Internet and UNIX domain sockets. Differences in style is
shown below. The optional companion daemon,
.Xr klogd 8 ,
can be used to trap kernel messages and interpret events like Oops. By
default
.Nm klogd
is not built and
.Nm
handles reading and logging of kernel messages.
.Pp
.Bl -tag -compact -width "RFC3164:"
.It RFC3164:
.Cm Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
.It RFC5424:
.Cm 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.
.El
.Pp
Note, for remote logging the messages are prefixed with
.Cm <PRI>
or
.Cm <PRI>1 ,
respectively.
.Pp
.Nm
is derived from BSD sources, today
.Fx
is the reference for
.Nm
and
.Nx
for the new
.Xr syslogp 3
API, which fully supports the new features of RFC5424. Please note; 1)
the intention is to follow standard BSD
.Nm
behavior, 2) despite having a stand-alone
.Xr syslog 3 ,
and
.Xr syslogp 3
API in
.Lb libsyslog ,
.Nm
interacts transparently with the standard C library
.Xr syslog 3
API, as implemented in GLIBC, musl libc, and uClibc.
.Pp
When
.Nm
starts up it reads its main configuration file
.Pa /etc/syslog.conf ,
or an alternate file given with the
.Fl f Ar file
option. For details on how to configure syslog priority
(facility.severity) filtering, see
.Xr syslog.conf 5 .
.Sh OPTIONS
.Bl -tag -width Ds
.It Fl 4
Force
.Nm
to use IPv4 addresses only.
.It Fl 6
Force
.Nm
to use IPv6 addresses only.
.It Fl A
Ordinarily,
.Nm
tries to send the message to only one address even if the host has
more than one A or AAAA record. If this option is specified,
.Nm
tries to send the message to all addresses.
.It Fl a Ar address[/len][:service] | Fl a Ar domainname[:service]
Allow peers to log to this syslogd using UDP datagrams. Multiple
.Fl a
options may be specified. Any
.Fl a
option is ignored if the
.Fl s
option is also specified.
.Pp
The peer argument may be any of the following:
.Bl -tag -width 'address[/len][:service]'
.It Ql address[/len][:service]
Accept datagrams from IP
.Ar address ,
which can be specified as an IPv4 address or as an IPv6 address enclosed
with
.Sq \&[
and
.Sq \&] .
If specified, service is the name or port number of an UDP service (see
.Xr services 5 )
the source packet must belong to. A service of
.Ql *
accepts UDP packets from any source port. The default service is
.Ql syslog .
If
.Ar address
is an IPv4 address, a missing prefix
.Ar len
will be substituted by the historic class A or class B netmasks if
.Ar address
belongs in the address range of class A or B, respectively, or by'
.Ar /24
otherwise. If
.Ar address
is an IPv6 address, a missing prefix
.Ar len
will be substituted by 128.
.It Ql domainname[:service]
Accept datagrams where the reverse address lookup yields
.Ar domainname
for the sender address. The meaning of
.Ar service
is as explained above.
.Ar domainname
can contain special characters of a shell-style pattern such as
.Ql * .
.El
.It Fl b Ar address[:service]
.It Fl b Ar :service
Bind to a specific address and/or port. The address can be specified as
a hostname, and the port as a service name. If an IPv6 address is
specified, it should be enclosed with
.Sq \&[
and
.Sq \&] .
The default service is
.Ql syslog
(514/udp). This option can be specified multiple times to bind to
multiple addresses and/or ports.
.It Fl d
Turns on debug mode. This implicitly enables
.Fl F
to prevent
.Nm
from backgrounding itself. Debug information is written to the current
TTY. SIGUSR1 is required to confirm continued debug messages when the
daemon has finished starting up. See the
.Sx DEBUGGING
section for more information.
.It Fl F
Run in foreground, required when run from a modern init/supervisor. See
your system
.Xr init 1
for details.
.It Fl f Ar file
Specify an alternative configuration file instead of the default
.Pa /etc/syslog.conf .
.It Fl k
Disable the translation of messages received with facility
.Ql kern
to
facility
.Ql user .
Usually the
.Ql kern
facility is reserved for kernel log messages. When the
.Nm klogd
daemon runs alongside
.Nm ,
this option is always set.
.It Fl m Ar seconds
.Nm
logs a mark timestamp regularly. The default interval between two
.Ql -- MARK --
lines is 20 minutes. This can be changed with this option. Setting
this to zero disables log marks entirely.
.Pp
Depending on other log messages generated these lines may not be written
consecutively. The
.Ql -- MARK --
message is only written if the log file hasn't been touched in
.Ar (seconds * 60) / 2
minutes.
.It Fl n
Disable DNS query for every request.
.It Fl P Ar file
Specify an alternate file in which to store the process ID.
The default is
.Pa /var/run/syslog.pid .
.It Fl p Ar socket
Specify an alternate UNIX domain socket instead of the default
.Pa /dev/log .
When a single
.Fl p
option is specified, the default pathname is replaced with the specified
one. When two or more
.Fl p
options are specified, the remaining pathnames are treated as additional
log sockets. This might be needed when running applications in
containers or a
.Xr chroot 8
environment.
.It Fl r Ar size[:count]
Enable built-in support for log rotation of files listed in
.Pa /etc/syslog.conf .
This feature is particulary useful for small and embedded systems that
do not want the overhead of
.Xr cron 8
and
.Xr logrotate 8 .
.Pp
The option controls the max size and number of backup files kept by the
built-in log-rotation. When present on the command line it activates
log rotation of all files with the given maximum size. It is also
possible to control log rotate per log file, see
.Xr syslog.conf 5
for details.
.Pp
The size argument takes optional modifiers; k, M, G. E.g., 100M is
100MB, 42k is 42 kB, etc.
.Pp
The optional number of files kept include both gzipped files and the
first rotated (not zipped) file. The default for this, when omitted,
is 5.
.It Fl s
Operate in secure mode. Do not log messages from remote machines. If
specified twice, no network socket will be opened at all, which also
disables logging to remote machines.
.It Fl T
Always use the local time and date for messages received from the
network, instead of the timestamp field supplied in the message by the
remote host. This is useful if some of the originating hosts cannot
keep time properly or are unable to generate a correct timestamp.
.It Fl v
Print
.Nm
version and exit.
.Sh CONFIGURATION FILE DIFFERENCES
.Nm
uses a slightly different syntax for its configuration file than the
original BSD sources.
.Pp
First, rules may now also have a third field
.Cm ;OPTION .
Several options are supported, comma separated, that control formatting
and log rotation, for more on this see
.Xr syslog.conf 5 .
.Pp
Second, other files may be included using a
.Xr glob 7
style syntax, e.g.
.Ql include /path/to/*.conf .
.Pp
Third, originally all messages of a specific priority and above were
forwarded to the log file. For example the following line send all
output from daemons using the daemon facilities (debug is the lowest
priority, so every higher will also match) to go into
.Pa /var/log/daemons :
.Bd -literal -offset indent
# Sample syslog.conf
daemon.debug /var/log/daemons
.Ed
.Pp
.Nm
still supports this, with the addition of four additional specifiers,
the asterisk ('*') wildcard, the equation sign ('='), the exclamation
mark ('!'), and the minus sign ('-').
.Pp
The '*' specifies that all messages for the specified facility are to be
directed to the destination. Note that this behavior is degenerate with
specifying a priority level of debug. Users have indicated that the
asterisk notation is more intuitive.
.Pp
The '=' restricts logging to the specified priority class. This allows,
for example, routing only debug messages to a particular logging source.
.Pp
For example, the following line in
.Pa /etc/syslog.conf
directs debug messages from all sources to the
.Pa /var/log/debug
file in RFC5424 format, with log rotation every 512 kiB, saving only 20
files in total (including the non-rotated file):
.Bd -literal -offset indent
# Sample syslog.conf
*.=debug -/var/log/debug ;RFC5424,rotate=512k:20
.Ed
.Pp
.\" The '!' as the first character of a priority inverts the above
.\" mentioned interpretation.
The '!' is used to exclude logging of the specified priorities. This
affects all (!) possibilities of specifying priorities.
.Pp
For example the following lines in
.Pa syslog.conf
log all messages of facility
.Ql mail
except those with priority
.Ql info
to the
.Pa /var/log/mail
file. All messages from
.Ql news.info
(including) to
.Ql news.crit
(excluding) are logged to the
.Pa /var/log/news
file.
.Bd -literal -offset indent
# Sample syslog.conf
mail.*;mail.!=info /var/log/mail
news.info;news.!crit /var/log/news
.Ed
.Pp
You may use it intuitively as an exception specifier. The above
mentioned interpretation is simply inverted. For example, to skip
every message with facility
.Ar mail :
.Bd -literal -offset indent
mail.none
.Ed
or
.Bd -literal -offset indent
mail.!*
.Ed
or
.Bd -literal -offset indent
mail.!debug
.Ed
.Pp
The '-' may only be used to prefix a filename if you want to omit
sync'ing the file after every write to it.
.Sh REMOTE LOGGING
.Nm
has network support enabled by default. Meaning, when it starts up it
opens a socket for sending to remote servers and also binds it to listen
for incoming syslog messages over UDP port 514. For this to work
correctly the
.Xr services 5
file (typically found in
.Pa /etc/services )
must have the following entry:
.Bd -literal -offset indent
syslog 514/udp
.Ed
.Pp
If this entry is missing
.Nm
by default disables networking completely. This can also be achieved
by the
.Fl s
flag. However,
.Nm
can listen to any port, named or by value. Use the
.Fl b Ar :5514
flag to bind a socket to (unprivileged) port 5514 instead.
.Pp
To forward messages to to a remote host, create a rule in
.Pa syslog.conf
with the name of the hostname to which the messages is to be sent
prepended with an at
.Sq ( @ )
sign. By default,
.Nm
sends messages to remote servers in the old-school
.Ql BSD
format, without timestamp and hostname. This is for compatibility
reasons. Append the
.Ql ;RFC5424
option to the rule to enable RFC5424 style formatting which includes
RFC3339 timestamp and hostname information.
.Pp
For example, to forward
.Sy ALL
messages to a remote host use the following
.Pa syslog.conf
entry:
.Bd -literal -offset indent
# Sample syslogd configuration file to forward all message
# messages to a remote host using RFC5424 style formatting
*.* @hostname ;RFC5424
.Ed
.Pp
To forward all
.Ql kernel
messages to a remote host (in old-school BSD formatting) the
configuration file would be as follows:
.Bd -literal -offset indent
# Sample configuration file to forward all kernel messages
# to a remote host.
kern.* @hostname
.Ed
.Pp
If the remote hostname cannot be resolved at startup, because the
name server might not yet be accessible (maybe started later in
the boot sequence),
.Nm
will retry resolving the name ten times before logging the error.
Another possibility to avoid this is to place the hostname in
.Pa /etc/hosts .
.Pp
If the remote host is located in the same domain as the host,
.Nm
is running on, only the simple hostname will be logged instead of the
whole FQDN.
.Sh NAMED PIPES
A FIFO, or named pipe, can be used as a destination for log messages by
prepending a pipy symbol ('|') to the name of the file. This is very
handy for debugging. Note, the FIFO must be created with the
.Xr mkfifo 1
command before
.Nm
is started.
.Pp
The following configuration file routes debug messages from the kernel
to a FIFO:
.Bd -literal -offset indent
# Sample configuration to route kernel debugging messages
# ONLY to /var/log/debug which is a named pipe.
kern.=debug |/var/log/debug
.Ed
.Sh SECURITY
There is the potential for
.Nm
to be used as a conduit for a denial of service attack. Thanks go to
.An John Morrison Aq Mt jmorriso@rflab.ee.ubc.ca
for alerting the project of this. A rogue program(mer) could very
easily flood
.Nm
with syslog messages resulting in the log files consuming all the
remaining space on the filesystem. Activating logging over network
domain sockets will of course expose a system to risks outside of
programs or individuals on the local machine.
.Pp
There are a number of methods of protecting a machine:
.Bl -enum
.It
Disabling inet domain sockets will limit risk to the local machine. Use
the secore mode flag
.Fl s
for this.
.It
Only allow certain remote peers using the
.Fl a Ar PEER
flag.
.It
Implement kernel firewalling to limit which hosts or networks have
access to the 514/UDP socket.
.It
Logging can be directed to an isolated or non-root filesystem which,
if filled, will not impair the machine.
.It
The ext2 filesystem can be used which can be configured to limit a
certain percentage of a filesystem to usage by root only.
.El
.Sh DEBUGGING
When debug mode (
.Fl d )
is enabled
.Nm
is very verbose, writing most of what it does on stdout. Whenever
the configuration file is reread and re-parsed you'll see a tabular,
corresponding to the internal data structure. This tabular consists of
four fields:
.Pp
.Bl -tag -width arguments
.It number
This field contains a serial number starting by zero. This number
represents the position in the internal data structure (i.e. the array).
If one number is left out then there might be an error in the
corresponding line in
.Pa /etc/syslog.conf .
.It pattern
This field is tricky and represents the internal structure exactly.
Every column stands for a facility, refer to
.Xr syslogp 3 .
As you can see, there are still some facilities left free for former
use, only the left most are used. Every field in a column represents
the priorities, refer to
.Xr syslogp 3 .
.It action
This field describes the particular action that takes place whenever a
message is received that matches the pattern. Refer to the
.Xr syslog.conf 5
manpage for all possible actions.
.It arguments
This field shows additional arguments to the actions in the last field.
For file-logging this is the filename for the logfile; for user-logging
this is a list of users; for remote logging this is the hostname of the
machine to log to; for console-logging this is the used console; for
tty-logging this is the specified tty; wall has no additional arguments.
.El
.Sh SIGNALS
.Nm
supports the following signals:
.Pp
.Bl -tag -width "TERM, QUIT"
.It HUP
This lets
.Nm
perform a re-initialization. All open files are closed, the
configuration file (see above) is reread and the
.Xr syslog 3
facility is started again.
.It TERM
This tells
.Nm
to exit gracefully. Flushing any log files to disk.
.It INT, QUIT
In debug mode these are ignored. In normal operation they act as
SIGTERM.
.It USR1
In debug mode this switches debugging on/off. In normal operation
it is ignored.
.El
.Pp
For convenience the PID is by default stored in
.Pa /var/run/syslogd.pid .
A script can look for the existance of this file to determine if
.Nm
is running, and then send signals:
.Bd -literal -offset indent
kill -SIGNAL `cat /var/run/syslogd.pid`
.Ed
.Sh FILES
.Bl -tag -width TERM
.It Pa /dev/log
The UNIX domain socket to from where local syslog messages are read.
.It Pa /proc/kmsg
The Linux kernel log file
.Nm
reads when built without the optional
.Nm klogd .
.It Pa /etc/syslog.conf
Configuration file for
.Nm .
See
.Xr syslog.conf 5
for more information.
.It Pa /etc/syslog.d/*.conf
Conventional sub-directory of
.Pa .conf
files read by
.Nm .
.It Pa /etc/syslog.d/50-default.conf
Conventional name for default rules.
.It Pa /var/run/syslogd.pid
The file containing the process id of
.Nm .
.El
.Sh BUGS
The ability to log messages received in UDP packets is equivalent to an
unauthenticated remote disk-filling service, and should probably be
disabled
.Fl ( s )
by default. (The shipped systemd unit file disables this by default.)
See also
.Sx SECURITY
for more information on this. A future version of
.Nm
may include support for TLS, RFC5425, which includes authentication of
both senders and receivers.
.Pp
As mentioned in the
.Sx DESCRIPTION ,
.Nm
transparently supports the standard C library
.Xr syslog 3
API. If a binary linked to the standard C libraries does not operate
correctly, this should be reported as a bug to this project. See below
for contact details.
.Sh SEE ALSO
.Xr syslog.conf 5 ,
.Xr klogd 8 ,
.Xr logger 1 ,
.Xr syslog 2 ,
.Xr syslogp 3 ,
.Xr services 5 ,
.Xr savelog 8 .
.Sh AUTHORS
The system log daemon
.Nm
is originally taken from BSD sources and later updated with new
funcitonality from
.Fx
and
.Nx .
.An -nosplit
.An Greg Wettstein Aq Mt greg@wind.enjellic.com
performed the initial port to Linux.
.An Martin Schulze Aq Mt joey@infodrom.org
fixed some bugs, added several new features and took over maintenance.
.An Joachim Nilsson Aq Mt troglobit@gmail.com
later picked up the aging
.Nm sysklogd
project and gave it a home at GitHub with new features imported from
.Fx
and
.Nx .
Reference in New Issue View Git Blame Copy Permalink