1SYSLOG.CONF(5) Linux System Administration SYSLOG.CONF(5)
2
6 syslog.conf - syslogd(8) configuration file
7
9 The syslog.conf file is the main configuration file for the syslogd(8)
10 which logs system messages on *nix systems. This file specifies rules
11 for logging. For special features see the sysklogd(8) manpage.
12 Every rule consists of two fields, a selector field and an action
14 field. These two fields are separated by one or more spaces or tabs.
15 The selector field specifies a pattern of facilities and priorities
16 belonging to the specified action.
17 Lines starting with a hash mark (``#'') and empty lines are ignored.
19 This release of syslogd is able to understand an extended syntax. One
21 rule can be divided into several lines if the leading line is termi‐
22 nated with an backslash (``\'').
23
26 The selector field itself again consists of two parts, a facility and a
27 priority, separated by a period (``.''). Both parts are case insensi‐
28 tive and can also be specified as decimal numbers, but don't do that,
29 you have been warned. Both facilities and priorities are described in
30 syslog(3). The names mentioned below correspond to the similar
31 LOG_-values in /usr/include/syslog.h.
32 The facility is one of the following keywords: auth, authpriv, cron,
34 daemon, kern, lpr, mail, mark, news, security (same as auth), syslog,
35 user, uucp and local0 through local7. The keyword security should not
36 be used anymore and mark is only for internal use and therefore should
37 not be used in applications. Anyway, you may want to specify and redi‐
38 rect these messages here. The facility specifies the subsystem that
39 produced the message, i.e. all mail programs log with the mail facility
40 (LOG_MAIL) if they log using syslog.
41 The priority is one of the following keywords, in ascending order:
43 debug, info, notice, warning, warn (same as warning), err, error (same
44 as err), crit, alert, emerg, panic (same as emerg). The keywords
45 error, warn and panic are deprecated and should not be used anymore.
46 The priority defines the severity of the message
47 The behavior of the original BSD syslogd is that all messages of the
49 specified priority and higher are logged according to the given action.
50 This syslogd(8) behaves the same, but has some extensions.
51 In addition to the above mentioned names the syslogd(8) understands the
53 following extensions: An asterisk (``*'') stands for all facilities or
54 all priorities, depending on where it is used (before or after the
55 period). The keyword none stands for no priority of the given facil‐
56 ity.
57 You can specify multiple facilities with the same priority pattern in
59 one statement using the comma (``,'') operator. You may specify as
60 much facilities as you want. Remember that only the facility part from
61 such a statement is taken, a priority part would be skipped.
62 Multiple selectors may be specified for a single action using the semi‐
64 colon (``;'') separator. Remember that each selector in the selector
65 field is capable to overwrite the preceding ones. Using this behavior
66 you can exclude some priorities from the pattern.
67 This syslogd(8) has a syntax extension to the original BSD source, that
69 makes its use more intuitively. You may precede every priority with an
70 equation sign (``='') to specify only this single priority and not any
71 of the above. You may also (both is valid, too) precede the priority
72 with an exclamation mark (``!'') to ignore all that priorities, either
73 exact this one or this and any higher priority. If you use both exten‐
74 sions than the exclamation mark must occur before the equation sign,
75 just use it intuitively.
76
79 The action field of a rule describes the abstract term ``logfile''. A
80 ``logfile'' need not to be a real file, btw. The syslogd(8) provides
81 the following actions.
82 Regular File
85 Typically messages are logged to real files. The file has to be speci‐
86 fied with full pathname, beginning with a slash ``/''.
87 You may prefix each entry with the minus ``-'' sign to omit syncing the
89 file after every logging. Note that you might lose information if the
90 system crashes right behind a write attempt. Nevertheless this might
91 give you back some performance, especially if you run programs that use
92 logging in a very verbose manner.
93 Named Pipes
96 This version of syslogd(8) has support for logging output to named
97 pipes (fifos). A fifo or named pipe can be used as a destination for
98 log messages by prepending a pipe symbol (``|'') to the name of the
99 file. This is handy for debugging. Note that the fifo must be created
100 with the mkfifo(1) command before syslogd(8) is started.
101 Terminal and Console
104 If the file you specified is a tty, special tty-handling is done, same
105 with /dev/console.
106 Remote Machine
109 This syslogd(8) provides full remote logging, i.e. is able to send mes‐
110 sages to a remote host running syslogd(8) and to receive messages from
111 remote hosts. The remote host won't forward the message again, it will
112 just log them locally. To forward messages to another host, prepend
113 the hostname with the at sign (``@'').
114 Using this feature you're able to control all syslog messages on one
116 host, if all other machines will log remotely to that. This tears down
117 administration needs.
118 List of Users
121 Usually critical messages are also directed to ``root'' on that
122 machine. You can specify a list of users that shall get the message by
123 simply writing the login. You may specify more than one user by sepa‐
124 rating them with commas (``,''). If they're logged in they get the
125 message. Don't think a mail would be sent, that might be too late.
126 Everyone logged on
129 Emergency messages often go to all users currently online to notify
130 them that something strange is happening with the system. To specify
131 this wall(1)-feature use an asterisk (``*'').
132
135 Here are some example, partially taken from a real existing site and
136 configuration. Hopefully they rub out all questions to the configura‐
137 tion, if not, drop me (Joey) a line.
138 # Store critical stuff in critical
140 #
141 *.=crit;kern.none /var/adm/critical
142 This will store all messages with the priority crit in the file
144 /var/adm/critical, except for any kernel message.
145 # Kernel messages are first, stored in the kernel
148 # file, critical messages and higher ones also go
149 # to another host and to the console
150 #
151 kern.* /var/adm/kernel
152 kern.crit @finlandia
153 kern.crit /dev/console
154 kern.info;kern.!err /var/adm/kernel-info
155 The first rule direct any message that has the kernel facility to the
157 file /var/adm/kernel.
158 The second statement directs all kernel messages of the priority crit
160 and higher to the remote host finlandia. This is useful, because if
161 the host crashes and the disks get irreparable errors you might not be
162 able to read the stored messages. If they're on a remote host, too,
163 you still can try to find out the reason for the crash.
164 The third rule directs these messages to the actual console, so the
166 person who works on the machine will get them, too.
167 The fourth line tells the syslogd to save all kernel messages that come
169 with priorities from info up to warning in the file /var/adm/kernel-
170 info. Everything from err and higher is excluded.
171 # The tcp wrapper loggs with mail.info, we display
174 # all the connections on tty12
175 #
176 mail.=info /dev/tty12
177 This directs all messages that uses mail.info (in source LOG_MAIL |
179 LOG_INFO) to /dev/tty12, the 12th console. For example the tcpwrapper
180 tcpd(8) uses this as it's default.
181 # Store all mail concerning stuff in a file
184 #
185 mail.*;mail.!=info /var/adm/mail
186 This pattern matches all messages that come with the mail facility,
188 except for the info priority. These will be stored in the file
189 /var/adm/mail.
190 # Log all mail.info and news.info messages to info
193 #
194 mail,news.=info /var/adm/info
195 This will extract all messages that come either with mail.info or with
197 news.info and store them in the file /var/adm/info.
198 # Log info and notice messages to messages file
201 #
202 *.=info;*.=notice;\
203 mail.none /var/log/messages
204 This lets the syslogd log all messages that come with either the info
206 or the notice facility into the file /var/log/messages, except for all
207 messages that use the mail facility.
208 # Log info messages to messages file
211 #
212 *.=info;\
213 mail,news.none /var/log/messages
214 This statement causes the syslogd to log all messages that come with
216 the info priority to the file /var/log/messages. But any message com‐
217 ing either with the mail or the news facility will not be stored.
218 # Emergency messages will be displayed using wall
221 #
222 *.=emerg *
223 This rule tells the syslogd to write all emergency messages to all cur‐
225 rently logged in users. This is the wall action.
226 # Messages of the priority alert will be directed
229 # to the operator
230 #
231 *.alert root,joey
232 This rule directs all messages with a priority of alert or higher to
234 the terminals of the operator, i.e. of the users ``root'' and ``joey''
235 if they're logged in.
236 *.* @finlandia
239 This rule would redirect all messages to a remote host called finlan‐
241 dia. This is useful especially in a cluster of machines where all sys‐
242 log messages will be stored on only one machine.
243
246 Syslogd uses a slightly different syntax for its configuration file
247 than the original BSD sources. Originally all messages of a specific
248 priority and above were forwarded to the log file. The modifiers
249 ``='', ``!'' and ``-'' were added to make the syslogd more flexible
250 and to use it in a more intuitive manner.
251 The original BSD syslogd doesn't understand spaces as separators
253 between the selector and the action field.
254
256 /etc/syslog.conf
257 Configuration file for syslogd
258
260 The effects of multiple selectors are sometimes not intuitive. For
261 example ``mail.crit,*.err'' will select ``mail'' facility messages at
262 the level of ``err'' or higher, not at the level of ``crit'' or higher.
263
265 sysklogd(8), klogd(8), logger(1), syslog(2), syslog(3)
266
268 The syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjel‐
269 lic.com) performed the port to Linux, Martin Schulze (joey@linux.de)
270 made some bugfixes and added some new features.
271Version 1.3 1 January 1998 SYSLOG.CONF(5)