1SYSKLOGD(8)               Linux System Administration              SYSKLOGD(8)
2
3
4

NAME

6       sysklogd - Linux system logging utilities.
7

SYNOPSIS

9       syslogd  [ -a socket ] [ -d ] [ -f config file ] [ -h ] [ -l hostlist ]
10       [ -m interval ] [ -n ] [ -p socket ] [ -r ] [ -s domainlist ] [ -v ]
11

DESCRIPTION

13       Sysklogd provides two system utilities which provide support for system
14       logging and kernel message trapping.  Support of both internet and unix
15       domain sockets enables this utility package to support both  local  and
16       remote logging.
17
18       System  logging is provided by a version of syslogd(8) derived from the
19       stock BSD sources.  Support for  kernel  logging  is  provided  by  the
20       klogd(8)  utility which allows kernel logging to be conducted in either
21       a standalone fashion or as a client of syslogd.
22
23       Syslogd provides a kind of  logging  that  many  modern  programs  use.
24       Every  logged  message  contains  at least a time and a hostname field,
25       normally a program name field, too, but that depends on how trusty  the
26       logging program is.
27
28       While  the syslogd sources have been heavily modified a couple of notes
29       are in order.  First of all there has  been  a  systematic  attempt  to
30       insure  that  syslogd  follows its default, standard BSD behavior.  The
31       second important concept to note is that this version of syslogd inter‐
32       acts  transparently  with  the  version of syslog found in the standard
33       libraries.  If a binary linked to the standard shared  libraries  fails
34       to  function correctly we would like an example of the anomalous behav‐
35       ior.
36
37       The main configuration file /etc/syslog.conf or  an  alternative  file,
38       given  with  the  -f  option, is read at startup.  Any lines that begin
39       with the hash mark (``#'') and empty lines are ignored.   If  an  error
40       occurs during parsing the whole line is ignored.
41

OPTIONS

43       -a socket
44              Using this argument you can specify additional sockets from that
45              syslogd has to listen to.  This is needed if you're going to let
46              some  daemon  run within a chroot() environment.  You can use up
47              to 19 additional sockets.  If your environment needs even  more,
48              you  have  to  increase the symbol MAXFUNIX within the syslogd.c
49              source file.  An example for a chroot() daemon is  described  by
50              the people from OpenBSD at <http://www.guides.sk/psionic/dns/>.
51
52       -d     Turns  on  debug mode.  Using this the daemon will not proceed a
53              fork(2) to set itself in the background, but  opposite  to  that
54              stay  in  the foreground and write much debug information on the
55              current tty.  See the DEBUGGING section for more information.
56
57       -f config file
58              Specify an alternative configuration file instead  of  /etc/sys‐
59              log.conf, which is the default.
60
61       -h     By  default  syslogd  will not forward messages it receives from
62              remote hosts.  Specifying this switch on the command  line  will
63              cause  the log daemon to forward any remote messages it receives
64              to forwarding hosts which have been  defined.   This  can  cause
65              syslog  loops  that fill up hard disks quite fast and thus needs
66              to be used with caution.
67
68       -l hostlist
69              Specify a hostname that should be logged only  with  its  simple
70              hostname  and  not  the  fqdn.   Multiple hosts may be specified
71              using the colon (``:'') separator.
72
73       -m interval
74              The syslogd logs a mark timestamp regularly.  The default inter‐
75              val  between  two  --  MARK -- lines is 20 minutes.  This can be
76              changed with this option.  Setting the interval to zero turns it
77              off  entirely.   Depending on other log messages generated these
78              lines may not be written consecutively.
79
80       -n     Avoid auto-backgrounding.  This is needed especially if the sys‐
81              logd is started and controlled by init(8).
82
83       -p socket
84              You  can  specify  an  alternative unix domain socket instead of
85              /dev/log.
86
87       -r     This option will enable the facility to receive message from the
88              network  using an internet domain socket with the syslog service
89              (see services(5)).  The default is to not receive  any  messages
90              from the network.
91
92              This  option  is introduced in version 1.3 of the sysklogd pack‐
93              age.  Please note that the default behavior is the  opposite  of
94              how older versions behave, so you might have to turn this on.
95
96       -s domainlist
97              Specify a domainname that should be stripped off before logging.
98              Multiple domains may be specified using the colon (``:'')  sepa‐
99              rator.   Please  be advised that no sub-domains may be specified
100              but only entire domains.  For example if -s north.de  is  speci‐
101              fied  and the host logging resolves to satu.infodrom.north.de no
102              domain would be cut, you will have to specify two domains  like:
103              -s north.de:infodrom.north.de.
104
105       -v     Print version and exit.
106

SIGNALS

108       Syslogd  reacts  to  a set of signals.  You may easily send a signal to
109       syslogd using the following:
110
111              kill -SIGNAL `cat /var/run/syslogd.pid`
112
113       SIGHUP This lets syslogd perform a re-initialization.  All  open  files
114              are closed, the configuration file (default is /etc/syslog.conf)
115              will be reread and the syslog(3) facility is started again.
116
117       SIGTERM
118              The syslogd will die.
119
120       SIGINT, SIGQUIT
121              If debugging is enabled these  are  ignored,  otherwise  syslogd
122              will die.
123
124       SIGUSR1
125              Switch  debugging  on/off.  This option can only be used if sys‐
126              logd is started with the -d debug option.
127
128       SIGCHLD
129              Wait for childs if some were born, because of wall'ing messages.
130

CONFIGURATION FILE SYNTAX DIFFERENCES

132       Syslogd uses a slightly different syntax  for  its  configuration  file
133       than  the  original BSD sources.  Originally all messages of a specific
134       priority and above were forwarded to the log file.
135
136              For example the following line caused ALL  output  from  daemons
137              using  the  daemon  facilities (debug is the lowest priority, so
138              every higher will also match) to go into /usr/adm/daemons:
139
140                   # Sample syslog.conf
141                   daemon.debug             /usr/adm/daemons
142
143       Under the new scheme this behavior remains the same.  The difference is
144       the  addition  of  four  new specifiers, the asterisk (*) wildcard, the
145       equation sign (=), the exclamation mark (!), and the minus sign (-).
146
147       The * specifies that all messages for the specified facility are to  be
148       directed  to  the  destination.   Note that this behavior is degenerate
149       with specifying a priority level of debug.  Users have  indicated  that
150       the asterisk notation is more intuitive.
151
152       The  =  wildcard  is used to restrict logging to the specified priority
153       class.  This allows, for example, routing only debug messages to a par‐
154       ticular logging source.
155
156              For example the following line in syslog.conf would direct debug
157              messages from all sources to the /usr/adm/debug file.
158
159                   # Sample syslog.conf
160                   *.=debug            /usr/adm/debug
161
162       The ! is used to exclude logging of  the  specified  priorities.   This
163       affects all (!) possibilities of specifying priorities.
164
165              For  example  the  following lines would log all messages of the
166              facility mail  except  those  with  the  priority  info  to  the
167              /usr/adm/mail file.  And all messages from news.info (including)
168              to news.crit (excluding) would be logged  to  the  /usr/adm/news
169              file.
170
171                   # Sample syslog.conf
172                   mail.*;mail.!=info       /usr/adm/mail
173                   news.info;news.!crit     /usr/adm/news
174
175       You  may  use it intuitively as an exception specifier.  The above men‐
176       tioned interpretation is simply inverted.  Doing that you may use
177
178            mail.none
179       or
180            mail.!*
181       or
182            mail.!debug
183
184       to skip every message that comes with a mail facility.  There  is  much
185       room to play with it. :-)
186
187       The  -  may  only  be  used  to  prefix  a filename if you want to omit
188       sync'ing the file after every write to it.
189
190       This may take some acclimatization for those individuals  used  to  the
191       pure  BSD behavior but testers have indicated that this syntax is some‐
192       what more flexible than the BSD  behavior.   Note  that  these  changes
193       should not affect standard syslog.conf(5) files.  You must specifically
194       modify the configuration files to obtain the enhanced behavior.
195

SUPPORT FOR REMOTE LOGGING

197       These modifications provide network support to  the  syslogd  facility.
198       Network support means that messages can be forwarded from one node run‐
199       ning syslogd to another node running syslogd where they will  be  actu‐
200       ally logged to a disk file.
201
202       To  enable  this you have to specify the -r option on the command line.
203       The default behavior is that syslogd won't listen to the network.
204
205       The strategy is to have syslogd listen on  a  unix  domain  socket  for
206       locally  generated  log  messages.  This behavior will allow syslogd to
207       inter-operate with the syslog found in the standard C library.  At  the
208       same time syslogd listens on the standard syslog port for messages for‐
209       warded from other hosts.  To have this work correctly  the  services(5)
210       files (typically found in /etc) must have the following entry:
211
212                   syslog          514/udp
213
214       If  this  entry  is missing syslogd neither can receive remote messages
215       nor send them, because the UDP port cant be  opened.   Instead  syslogd
216       will die immediately, blowing out an error message.
217
218       To  cause  messages  to be forwarded to another host replace the normal
219       file line in the syslog.conf file with the name of the  host  to  which
220       the messages is to be sent prepended with an @.
221
222              For  example,  to  forward ALL messages to a remote host use the
223              following syslog.conf entry:
224
225                   # Sample syslogd configuration file to
226                   # messages to a remote host forward all.
227                   *.*            @hostname
228
229              To forward all kernel messages to a remote host  the  configura‐
230              tion file would be as follows:
231
232                   # Sample configuration file to forward all kernel
233                   # messages to a remote host.
234                   kern.*         @hostname
235
236       If the remote hostname cannot be resolved at startup, because the name-
237       server might not be accessible (it may be started  after  syslogd)  you
238       don't  have to worry.  Syslogd will retry to resolve the name ten times
239       and then complain.  Another possibility to avoid this is to  place  the
240       hostname in /etc/hosts.
241
242       With  normal  syslogds  you would get syslog-loops if you send out mes‐
243       sages that were received from a remote host to the same host  (or  more
244       complicated to a third host that sends it back to the first one, and so
245       on).  In my domain (Infodrom Oldenburg) we accidently got one  and  our
246       disks filled up with the same single message. :-(
247
248       To  avoid  this no messages received from a remote host are sent out to
249       another (or the same) remote host anymore.  If you experience are setup
250       in  which  you  need  this  behaviour,  please  use the -h command line
251       switch.  However, this option needs to be handled with caution since  a
252       syslog loop can fill up hard disks quite fast.
253
254       If  the  remote host is located in the same domain as the host, syslogd
255       is running on, only the simple hostname will be logged instead  of  the
256       whole fqdn.
257
258       In a local network you may provide a central log server to have all the
259       important information kept on one machine.  If the network consists  of
260       different domains you don't have to complain about logging fully quali‐
261       fied names instead of simple hostnames.  You may want to use the strip-
262       domain  feature  -s  of this server.  You can tell the syslogd to strip
263       off several domains other than the one the server  is  located  in  and
264       only log simple hostnames.
265
266       Using  the  -l option there's also a possibility to define single hosts
267       as local machines.  This, too, results in  logging  only  their  simple
268       hostnames and not the fqdns.
269
270       The  UDP  socket used to forward messages to remote hosts or to receive
271       messages from them is only opened when it is needed.  In releases prior
272       to  1.3-23  it was opened every time but not opened for reading or for‐
273       warding respectively.
274

OUTPUT TO NAMED PIPES (FIFOs)

276       This version of syslogd has support for logging output to  named  pipes
277       (fifos).   A  fifo  or  named pipe can be used as a destination for log
278       messages by prepending a pipy symbol (``|'') to the name of  the  file.
279       This  is  handy for debugging.  Note that the fifo must be created with
280       the mkfifo command before syslogd is started.
281
282              The following configuration file routes debug messages from  the
283              kernel to a fifo:
284
285                   # Sample configuration to route kernel debugging
286                   # messages ONLY to /usr/adm/debug which is a
287                   # named pipe.
288                   kern.=debug              |/usr/adm/debug
289

INSTALLATION CONCERNS

291       There is probably one important consideration when installing this ver‐
292       sion of syslogd.  This version of syslogd is dependent on  proper  for‐
293       matting  of  messages  by  the syslog function.  The functioning of the
294       syslog function in the shared libraries changed somewhere in the region
295       of  libc.so.4.[2-4].n.   The  specific change was to null-terminate the
296       message before transmitting it to the /dev/log  socket.   Proper  func‐
297       tioning  of this version of syslogd is dependent on null-termination of
298       the message.
299
300       This problem will typically manifest itself if  old  statically  linked
301       binaries  are being used on the system.  Binaries using old versions of
302       the syslog function will cause empty lines to be logged followed by the
303       message  with  the  first  character in the message removed.  Relinking
304       these binaries to newer versions of the shared libraries  will  correct
305       this problem.
306
307       Both  the syslogd(8) and the klogd(8) can either be run from init(8) or
308       started as part of the rc.*  sequence.  If it is started from init  the
309       option  -n  must  be  set,  otherwise you'll get tons of syslog daemons
310       started.  This is because init(8) depends on the process ID.
311

SECURITY THREATS

313       There is the potential for the syslogd daemon to be used as  a  conduit
314       for  a  denial  of  service  attack.  Thanks go to John Morrison (jmor‐
315       riso@rflab.ee.ubc.ca) for alerting me to this potential.  A rogue  pro‐
316       gram(mer)  could  very easily flood the syslogd daemon with syslog mes‐
317       sages resulting in the log files consuming all the remaining  space  on
318       the  filesystem.   Activating logging over the inet domain sockets will
319       of course expose a system to risks outside of programs  or  individuals
320       on the local machine.
321
322       There are a number of methods of protecting a machine:
323
324       1.     Implement  kernel  firewalling  to limit which hosts or networks
325              have access to the 514/UDP socket.
326
327       2.     Logging can be directed to an isolated  or  non-root  filesystem
328              which, if filled, will not impair the machine.
329
330       3.     The ext2 filesystem can be used which can be configured to limit
331              a certain percentage of a filesystem  to  usage  by  root  only.
332              NOTE  that  this  will  require  syslogd to be run as a non-root
333              process.  ALSO NOTE that this will prevent usage of remote  log‐
334              ging since syslogd will be unable to bind to the 514/UDP socket.
335
336       4.     Disabling  inet  domain  sockets  will  limit  risk to the local
337              machine.
338
339       5.     Use step 4 and if the problem persists and is not secondary to a
340              rogue  program/daemon  get  a 3.5 ft (approx. 1 meter) length of
341              sucker rod* and have a chat with the user in question.
342
343              Sucker rod def. — 3/4, 7/8 or  1in.  hardened  steel  rod,  male
344              threaded  on each end.  Primary use in the oil industry in West‐
345              ern North Dakota and other locations to pump 'suck' oil from oil
346              wells.   Secondary  uses are for the construction of cattle feed
347              lots and for dealing with the occasional  recalcitrant  or  bel‐
348              ligerent individual.
349

DEBUGGING

351       When  debugging  is turned on using -d option then syslogd will be very
352       verbose by writing much of what it does on stdout.  Whenever  the  con‐
353       figuration  file  is  reread and re-parsed you'll see a tabular, corre‐
354       sponding to the internal data structure.  This tabular consists of four
355       fields:
356
357       number This field contains a serial number starting by zero.  This num‐
358              ber represents the position in the internal data structure (i.e.
359              the  array).   If  one number is left out then there might be an
360              error in the corresponding line in /etc/syslog.conf.
361
362       pattern
363              This field is  tricky  and  represents  the  internal  structure
364              exactly.   Every  column  stands  for  a facility (refer to sys‐
365              log(3)).  As you can see, there are still some  facilities  left
366              free  for  former use, only the left most are used.  Every field
367              in a column represents the priorities (refer to syslog(3)).
368
369       action This field describes the  particular  action  that  takes  place
370              whenever  a message is received that matches the pattern.  Refer
371              to the syslog.conf(5) manpage for all possible actions.
372
373       arguments
374              This field shows additional arguments to the actions in the last
375              field.   For  file-logging this is the filename for the logfile;
376              for user-logging this is a list of  users;  for  remote  logging
377              this  is the hostname of the machine to log to; for console-log‐
378              ging this is the used console; for tty-logging this is the spec‐
379              ified tty; wall has no additional arguments.
380

FILES

382       /etc/syslog.conf
383              Configuration  file  for  syslogd.  See syslog.conf(5) for exact
384              information.
385       /dev/log
386              The Unix domain socket to from where local syslog  messages  are
387              read.
388       /var/run/syslogd.pid
389              The file containing the process id of syslogd.
390

BUGS

392       If an error occurs in one line the whole rule is ignored.
393
394       Syslogd  doesn't change the filemode of opened logfiles at any stage of
395       process.  If a file is created it is world readable.  If  you  want  to
396       avoid  this,  you have to create it and change permissions on your own.
397       This could be done in combination  with  rotating  logfiles  using  the
398       savelog(8)  program  that  is  shipped  in  the smail 3.x distribution.
399       Remember that it might be a security hole if everybody is able to  read
400       auth.* messages as these might contain passwords.
401

SEE ALSO

403       syslog.conf(5), klogd(8), logger(1), syslog(2), syslog(3), services(5),
404       savelog(8).
405

AUTHORS

407       The system log daemon syslogd is originally  taken  from  BSD  sources,
408       Greg  Wettstein  <greg@wind.enjellic.com>  performed the port to Linux,
409       Martin Schulze <joey@infodrom.org> fixed some bugs, added  several  new
410       features and took over maintenance.
411
412
413
414Version 1.5                       27 May 2007                      SYSKLOGD(8)
Impressum