1SYSKLOGD(8)               Linux System Administration              SYSKLOGD(8)
2
3
4

NAME

6       sysklogd - Linux system logging utilities.
7

SYNOPSIS

9       syslogd  [  -46A  ] [ -a socket ] [ -d ] [ -f config file ] [ -h ] [ -l
10       hostlist ] [ -m interval ] [ -n ] [ -p socket ] [ -r ] [ -s  domainlist
11       ] [ -D dispatcher ] [ -v ] [ -x ]
12

DESCRIPTION

14       Sysklogd provides two system utilities which provide support for system
15       logging and kernel message trapping.  Support of both internet and unix
16       domain  sockets  enables this utility package to support both local and
17       remote logging.
18
19       System logging is provided by a version of syslogd(8) derived from  the
20       stock  BSD  sources.   Support  for  kernel  logging is provided by the
21       klogd(8) utility which allows kernel logging to be conducted in  either
22       a standalone fashion or as a client of syslogd.
23
24       Syslogd  provides  a  kind  of  logging  that many modern programs use.
25       Every logged message contains at least a time  and  a  hostname  field,
26       normally  a program name field, too, but that depends on how trusty the
27       logging program is.
28
29       While the syslogd sources have been heavily modified a couple of  notes
30       are  in  order.   First  of  all there has been a systematic attempt to
31       insure that syslogd follows its default, standard  BSD  behavior.   The
32       second important concept to note is that this version of syslogd inter‐
33       acts transparently with the version of syslog  found  in  the  standard
34       libraries.   If  a binary linked to the standard shared libraries fails
35       to function correctly we would like an example of the anomalous  behav‐
36       ior.
37
38       The  main  configuration  file /etc/syslog.conf or an alternative file,
39       given with the -f option, is read at startup.   Any  lines  that  begin
40       with  the  hash  mark (``#'') and empty lines are ignored.  If an error
41       occurs during parsing the whole line is ignored.
42
43

OPTIONS

45       -4     Force syslogd to use IPv4 addresses only.
46
47       -6     Force syslogd to use IPv6 addresses only.
48
49       -A     Ordinarily, syslogd tries  to  send  the  message  to  only  one
50              address even if the host has more than one A or AAAA record.  If
51              this option is specified, syslogd tries to send the  message  to
52              all addresses.
53
54       -a socket
55              Using this argument you can specify additional sockets from that
56              syslogd has to listen to.  This is needed if you're going to let
57              some  daemon  run within a chroot() environment.  You can use up
58              to 19 additional sockets.  If your environment needs even  more,
59              you  have  to  increase the symbol MAXFUNIX within the syslogd.c
60              source file.  An example for a chroot() daemon is  described  by
61              the           people           from          OpenBSD          at
62              http://www.psionic.com/papers/dns.html.
63
64       -d     Turns on debug mode.  Using this the daemon will not  proceed  a
65              fork(2)  to  set  itself in the background, but opposite to that
66              stay in the foreground and write much debug information  on  the
67              current tty.  See the DEBUGGING section for more information.
68
69       -f config file
70              Specify  an  alternative configuration file instead of /etc/sys‐
71              log.conf, which is the default.
72
73       -h     By default syslogd will not forward messages  it  receives  from
74              remote  hosts.   Specifying this switch on the command line will
75              cause the log daemon to forward any remote messages it  receives
76              to forwarding hosts which have been defined.
77
78       -l hostlist
79              Specify  a  hostname  that should be logged only with its simple
80              hostname and not the fqdn.   Multiple  hosts  may  be  specified
81              using the colon (``:'') separator.
82
83       -m interval
84              The syslogd logs a mark timestamp regularly.  The default inter‐
85              val between two -- MARK -- lines is 20  minutes.   This  can  be
86              changed with this option.  Setting the interval to zero turns it
87              off entirely.
88
89       -n     Avoid auto-backgrounding.  This is needed especially if the sys‐
90              logd is started and controlled by init(8).
91
92       -p socket
93              You  can  specify  an  alternative unix domain socket instead of
94              /dev/log.
95
96       -r     This option will enable the facility to receive message from the
97              network  using an internet domain socket with the syslog service
98              (see services(5)).  The default is to not receive  any  messages
99              from the network.
100
101              This  option  is introduced in version 1.3 of the sysklogd pack‐
102              age.  Please note that the default behavior is the  opposite  of
103              how older versions behave, so you might have to turn this on.
104
105       -s domainlist
106              Specify a domainname that should be stripped off before logging.
107              Multiple domains may be specified using the colon (``:'')  sepa‐
108              rator.   Please  be advised that no sub-domains may be specified
109              but only entire domains.  For example if -s north.de  is  speci‐
110              fied  and the host logging resolves to satu.infodrom.north.de no
111              domain would be cut, you will have to specify two domains  like:
112              -s north.de:infodrom.north.de.
113
114       -S     Verbose  logging.  If  specified  once, the numeric facility and
115              priority are logged with each locally-written message. If speci‐
116              fied  more than once, the names of the facility and priority are
117              logged with each locally-written message.
118
119       -D dispatcher
120              The syslogd daemon will start up a dispatcher program  and  open
121              standard  input  to  the socketpair used to pass events. So, the
122              dispatcher only needs to read stdin. Because  IPC  communication
123              buffers  have a limited size, it must read the events as fast as
124              possible. The syslogd send SIGTERM to  indicate  that  the  dis‐
125              patcher should exit.
126
127       -v     Print version and exit.
128
129       -x     Disable  name  lookups  when  receiving  remote  messages.  This
130              avoids deadlocks when the nameserver  is  running  on  the  same
131              machine that runs the syslog daemon.
132

SIGNALS

134       Syslogd  reacts  to  a set of signals.  You may easily send a signal to
135       syslogd using the following:
136
137              kill -SIGNAL `cat /var/run/syslogd.pid`
138
139       SIGHUP This lets syslogd perform a re-initialization.  All  open  files
140              are closed, the configuration file (default is /etc/syslog.conf)
141              will be reread and the syslog(3) facility is started again.
142
143       SIGTERM
144              The syslogd will die.
145
146       SIGINT, SIGQUIT
147              If debugging is enabled these  are  ignored,  otherwise  syslogd
148              will die.
149
150       SIGUSR1
151              Switch  debugging  on/off.  This option can only be used if sys‐
152              logd is started with the -d debug option.
153
154       SIGCHLD
155              Wait for childs if some were born, because of wall'ing messages.
156

CONFIGURATION FILE SYNTAX DIFFERENCES

158       Syslogd uses a slightly different syntax  for  its  configuration  file
159       than  the  original BSD sources.  Originally all messages of a specific
160       priority and above were forwarded to the log file.
161
162              For example the following line caused ALL  output  from  daemons
163              using  the  daemon  facilities (debug is the lowest priority, so
164              every higher will also match) to go into /usr/adm/daemons:
165
166                   # Sample syslog.conf
167                   daemon.debug             /usr/adm/daemons
168
169       Under the new scheme this behavior remains the same.  The difference is
170       the  addition  of  four  new specifiers, the asterisk (*) wildcard, the
171       equation sign (=), the exclamation mark (!), and the minus sign (-).
172
173       The * specifies that all messages for the specified facility are to  be
174       directed  to  the  destination.   Note that this behavior is degenerate
175       with specifying a priority level of debug.  Users have  indicated  that
176       the asterisk notation is more intuitive.
177
178       The  =  wildcard  is used to restrict logging to the specified priority
179       class.  This allows, for example, routing only debug messages to a par‐
180       ticular logging source.
181
182              For example the following line in syslog.conf would direct debug
183              messages from all sources to the /usr/adm/debug file.
184
185                   # Sample syslog.conf
186                   *.=debug            /usr/adm/debug
187
188       The ! is used to exclude logging of  the  specified  priorities.   This
189       affects all (!) possibilities of specifying priorities.
190
191              For  example  the  following lines would log all messages of the
192              facility mail  except  those  with  the  priority  info  to  the
193              /usr/adm/mail file.  And all messages from news.info (including)
194              to news.crit (excluding) would be logged  to  the  /usr/adm/news
195              file.
196
197                   # Sample syslog.conf
198                   mail.*;mail.!=info       /usr/adm/mail
199                   news.info;news.!crit     /usr/adm/news
200
201       You  may  use it intuitively as an exception specifier.  The above men‐
202       tioned interpretation is simply inverted.  Doing that you may use
203
204            mail.none
205       or
206            mail.!*
207       or
208            mail.!debug
209
210       to skip every message that comes with a mail facility.  There  is  much
211       room to play with it. :-)
212
213       The  -  may  only  be  used  to  prefix  a filename if you want to omit
214       sync'ing the file after every write to it.
215
216       This may take some acclimatization for those individuals  used  to  the
217       pure  BSD behavior but testers have indicated that this syntax is some‐
218       what more flexible than the BSD  behavior.   Note  that  these  changes
219       should not affect standard syslog.conf(5) files.  You must specifically
220       modify the configuration files to obtain the enhanced behavior.
221

SUPPORT FOR REMOTE LOGGING

223       These modifications provide network support to  the  syslogd  facility.
224       Network support means that messages can be forwarded from one node run‐
225       ning syslogd to another node running syslogd where they will  be  actu‐
226       ally logged to a disk file.
227
228       To  enable  this you have to specify the -r option on the command line.
229       The default behavior is that syslogd won't listen to the network.
230
231       The strategy is to have syslogd listen on  a  unix  domain  socket  for
232       locally  generated  log  messages.  This behavior will allow syslogd to
233       inter-operate with the syslog found in the standard C library.  At  the
234       same time syslogd listens on the standard syslog port for messages for‐
235       warded from other hosts.  To have this work correctly  the  services(5)
236       files (typically found in /etc) must have the following entry:
237
238                   syslog          514/udp
239
240       If  this  entry  is missing syslogd neither can receive remote messages
241       nor send them, because the UDP port cant be  opened.   Instead  syslogd
242       will die immediately, blowing out an error message.
243
244       To  cause  messages  to be forwarded to another host replace the normal
245       file line in the syslog.conf file with the name of the  host  to  which
246       the messages is to be sent prepended with an @.
247
248              For  example,  to  forward ALL messages to a remote host use the
249              following syslog.conf entry:
250
251                   # Sample syslogd configuration file to
252                   # messages to a remote host forward all.
253                   *.*            @hostname
254
255              To forward all kernel messages to a remote host  the  configura‐
256              tion file would be as follows:
257
258                   # Sample configuration file to forward all kernel
259                   # messages to a remote host.
260                   kern.*         @hostname
261
262       If the remote hostname cannot be resolved at startup, because the name-
263       server might not be accessible (it may be started  after  syslogd)  you
264       don't  have to worry.  Syslogd will retry to resolve the name ten times
265       and then complain.  Another possibility to avoid this is to  place  the
266       hostname in /etc/hosts.
267
268       With  normal  syslogds  you would get syslog-loops if you send out mes‐
269       sages that were received from a remote host to the same host  (or  more
270       complicated to a third host that sends it back to the first one, and so
271       on).  In my domain (Infodrom Oldenburg) we accidently got one  and  our
272       disks filled up with the same single message. :-(
273
274       To  avoid  this  in further times no messages that were received from a
275       remote host are sent out to another (or the same) remote host  anymore.
276       If  there  are  scenarios where this doesn't make sense, please drop me
277       (Joey) a line.
278
279       If the remote host is located in the same domain as the  host,  syslogd
280       is  running  on, only the simple hostname will be logged instead of the
281       whole fqdn.
282
283       In a local network you may provide a central log server to have all the
284       important  information kept on one machine.  If the network consists of
285       different domains you don't have to complain about logging fully quali‐
286       fied names instead of simple hostnames.  You may want to use the strip-
287       domain feature -s of this server.  You can tell the  syslogd  to  strip
288       off  several  domains  other  than the one the server is located in and
289       only log simple hostnames.
290
291       Using the -l option there's also a possibility to define  single  hosts
292       as  local  machines.   This,  too, results in logging only their simple
293       hostnames and not the fqdns.
294
295       The UDP socket used to forward messages to remote hosts or  to  receive
296       messages from them is only opened when it is needed.  In releases prior
297       to 1.3-23 it was opened every time but not opened for reading  or  for‐
298       warding respectively.
299
300

OUTPUT TO NAMED PIPES (FIFOs)

302       This  version  of syslogd has support for logging output to named pipes
303       (fifos).  A fifo or named pipe can be used as  a  destination  for  log
304       messages  by  prepending a pipy symbol (``|'') to the name of the file.
305       This is handy for debugging.  Note that the fifo must be  created  with
306       the mkfifo command before syslogd is started.
307
308              The  following configuration file routes debug messages from the
309              kernel to a fifo:
310
311                   # Sample configuration to route kernel debugging
312                   # messages ONLY to /usr/adm/debug which is a
313                   # named pipe.
314                   kern.=debug              |/usr/adm/debug
315

OUTPUT TO DISPATCHER

317       If you run syslogd with the -D option, you can route your  messages  to
318       dispatcher  process.  To  specify messages, which go to dispatcher, you
319       use "!dispatcher" directive.
320
321              Following configuration routes info  messages  to  a  dispatcher
322              process:
323
324                   *.info                   !dispatcher
325

INSTALLATION CONCERNS

327       There is probably one important consideration when installing this ver‐
328       sion of syslogd.  This version of syslogd is dependent on  proper  for‐
329       matting  of  messages  by  the syslog function.  The functioning of the
330       syslog function in the shared libraries changed somewhere in the region
331       of  libc.so.4.[2-4].n.   The  specific change was to null-terminate the
332       message before transmitting it to the /dev/log  socket.   Proper  func‐
333       tioning  of this version of syslogd is dependent on null-termination of
334       the message.
335
336       This problem will typically manifest itself if  old  statically  linked
337       binaries  are being used on the system.  Binaries using old versions of
338       the syslog function will cause empty lines to be logged followed by the
339       message  with  the  first  character in the message removed.  Relinking
340       these binaries to newer versions of the shared libraries  will  correct
341       this problem.
342
343       Both  the syslogd(8) and the klogd(8) can either be run from init(8) or
344       started as part of the rc.*  sequence.  If it is started from init  the
345       option  -n  must  be  set,  otherwise you'll get tons of syslog daemons
346       started.  This is because init(8) depends on the process ID.
347

SECURITY THREATS

349       There is the potential for the syslogd daemon to be used as  a  conduit
350       for  a  denial  of  service  attack.  Thanks go to John Morrison (jmor‐
351       riso@rflab.ee.ubc.ca) for alerting me to this potential.  A rogue  pro‐
352       gram(mer)  could  very easily flood the syslogd daemon with syslog mes‐
353       sages resulting in the log files consuming all the remaining  space  on
354       the  filesystem.   Activating logging over the inet domain sockets will
355       of course expose a system to risks outside of programs  or  individuals
356       on the local machine.
357
358       There are a number of methods of protecting a machine:
359
360       1.     Implement  kernel  firewalling  to limit which hosts or networks
361              have access to the 514/UDP socket.
362
363       2.     Logging can be directed to an isolated  or  non-root  filesystem
364              which, if filled, will not impair the machine.
365
366       3.     The ext2 filesystem can be used which can be configured to limit
367              a certain percentage of a filesystem  to  usage  by  root  only.
368              NOTE  that  this  will  require  syslogd to be run as a non-root
369              process.  ALSO NOTE that this will prevent usage of remote  log‐
370              ging since syslogd will be unable to bind to the 514/UDP socket.
371
372       4.     Disabling  inet  domain  sockets  will  limit  risk to the local
373              machine.
374
375       5.     Use step 4 and if the problem persists and is not secondary to a
376              rogue  program/daemon  get  a 3.5 ft (approx. 1 meter) length of
377              sucker rod* and have a chat with the user in question.
378
379              Sucker rod def. — 3/4, 7/8 or  1in.  hardened  steel  rod,  male
380              threaded  on each end.  Primary use in the oil industry in West‐
381              ern North Dakota and other locations to pump 'suck' oil from oil
382              wells.   Secondary  uses are for the construction of cattle feed
383              lots and for dealing with the occasional  recalcitrant  or  bel‐
384              ligerent individual.
385

DEBUGGING

387       When  debugging  is turned on using -d option then syslogd will be very
388       verbose by writing much of what it does on stdout.  Whenever  the  con‐
389       figuration  file  is  reread and re-parsed you'll see a tabular, corre‐
390       sponding to the internal data structure.  This tabular consists of four
391       fields:
392
393       number This field contains a serial number starting by zero.  This num‐
394              ber represents the position in the internal data structure (i.e.
395              the  array).   If  one number is left out then there might be an
396              error in the corresponding line in /etc/syslog.conf.
397
398       pattern
399              This field is  tricky  and  represents  the  internal  structure
400              exactly.   Every  column  stands  for  a facility (refer to sys‐
401              log(3)).  As you can see, there are still some  facilities  left
402              free  for  former use, only the left most are used.  Every field
403              in a column represents the priorities (refer to syslog(3)).
404
405       action This field describes the  particular  action  that  takes  place
406              whenever  a message is received that matches the pattern.  Refer
407              to the syslog.conf(5) manpage for all possible actions.
408
409       arguments
410              This field shows additional arguments to the actions in the last
411              field.   For  file-logging this is the filename for the logfile;
412              for user-logging this is a list of  users;  for  remote  logging
413              this  is the hostname of the machine to log to; for console-log‐
414              ging this is the used console; for tty-logging this is the spec‐
415              ified tty; wall has no additional arguments.
416

FILES

418       /etc/syslog.conf
419              Configuration  file  for  syslogd.  See syslog.conf(5) for exact
420              information.
421       /dev/log
422              The Unix domain socket to from where local syslog  messages  are
423              read.
424       /var/run/syslogd.pid
425              The file containing the process id of syslogd.
426

BUGS

428       If an error occurs in one line the whole rule is ignored.
429
430       Syslogd  doesn't change the filemode of opened logfiles at any stage of
431       process.  If a file is created it is world readable.  If  you  want  to
432       avoid  this,  you have to create it and change permissions on your own.
433       This could be done in combination  with  rotating  logfiles  using  the
434       savelog(8)  program  that  is  shipped  in  the smail 3.x distribution.
435       Remember that it might be a security hole if everybody is able to  read
436       auth.* messages as these might contain passwords.
437

SEE ALSO

439       syslog.conf(5), klogd(8), logger(1), syslog(2), syslog(3), services(5),
440       savelog(8)
441

COLLABORATORS

443       Syslogd is taken from BSD  sources,  Greg  Wettstein  (greg@wind.enjel‐
444       lic.com)  performed  the  port to Linux, Martin Schulze (joey@linux.de)
445       fixed some bugs and added several new features.  Klogd  was  originally
446       written  by  Steve  Lord  (lord@cray.com),  Greg  Wettstein  made major
447       improvements.
448
449       Dr. Greg Wettstein
450       Enjellic Systems Development
451       Oncology Research Division Computing Facility
452       Roger Maris Cancer Center
453       Fargo, ND
454       greg@wind.enjellic.com
455
456       Stephen Tweedie
457       Department of Computer Science
458       Edinburgh University, Scotland
459       sct@dcs.ed.ac.uk
460
461       Juha Virtanen
462       jiivee@hut.fi
463
464       Shane Alderton
465       shane@ion.apana.org.au
466
467       Martin Schulze
468       Infodrom Oldenburg
469       joey@linux.de
470
471
472
473Version 1.3                     12 October 1998                    SYSKLOGD(8)
Impressum