1SYSKLOGD(8) Linux System Administration SYSKLOGD(8)
2
3
4
6 sysklogd - Linux system logging utilities.
7
9 syslogd [ -46A ] [ -a socket ] [ -d ] [ -f config file ] [ -h ] [ -l
10 hostlist ] [ -m interval ] [ -n ] [ -p socket ] [ -r ] [ -s domainlist
11 ] [ -D dispatcher ] [ -v ] [ -x ]
12
14 Sysklogd provides two system utilities which provide support for system
15 logging and kernel message trapping. Support of both internet and unix
16 domain sockets enables this utility package to support both local and
17 remote logging.
18
19 System logging is provided by a version of syslogd(8) derived from the
20 stock BSD sources. Support for kernel logging is provided by the
21 klogd(8) utility which allows kernel logging to be conducted in either
22 a standalone fashion or as a client of syslogd.
23
24 Syslogd provides a kind of logging that many modern programs use.
25 Every logged message contains at least a time and a hostname field,
26 normally a program name field, too, but that depends on how trusty the
27 logging program is.
28
29 While the syslogd sources have been heavily modified a couple of notes
30 are in order. First of all there has been a systematic attempt to
31 insure that syslogd follows its default, standard BSD behavior. The
32 second important concept to note is that this version of syslogd inter‐
33 acts transparently with the version of syslog found in the standard
34 libraries. If a binary linked to the standard shared libraries fails
35 to function correctly we would like an example of the anomalous behav‐
36 ior.
37
38 The main configuration file /etc/syslog.conf or an alternative file,
39 given with the -f option, is read at startup. Any lines that begin
40 with the hash mark (``#'') and empty lines are ignored. If an error
41 occurs during parsing the whole line is ignored.
42
43
45 -4 Force syslogd to use IPv4 addresses only.
46
47 -6 Force syslogd to use IPv6 addresses only.
48
49 -A Ordinarily, syslogd tries to send the message to only one
50 address even if the host has more than one A or AAAA record. If
51 this option is specified, syslogd tries to send the message to
52 all addresses.
53
54 -a socket
55 Using this argument you can specify additional sockets from that
56 syslogd has to listen to. This is needed if you're going to let
57 some daemon run within a chroot() environment. You can use up
58 to 19 additional sockets. If your environment needs even more,
59 you have to increase the symbol MAXFUNIX within the syslogd.c
60 source file. An example for a chroot() daemon is described by
61 the people from OpenBSD at
62 http://www.psionic.com/papers/dns.html.
63
64 -d Turns on debug mode. Using this the daemon will not proceed a
65 fork(2) to set itself in the background, but opposite to that
66 stay in the foreground and write much debug information on the
67 current tty. See the DEBUGGING section for more information.
68
69 -f config file
70 Specify an alternative configuration file instead of /etc/sys‐
71 log.conf, which is the default.
72
73 -h By default syslogd will not forward messages it receives from
74 remote hosts. Specifying this switch on the command line will
75 cause the log daemon to forward any remote messages it receives
76 to forwarding hosts which have been defined.
77
78 -l hostlist
79 Specify a hostname that should be logged only with its simple
80 hostname and not the fqdn. Multiple hosts may be specified
81 using the colon (``:'') separator.
82
83 -m interval
84 The syslogd logs a mark timestamp regularly. The default inter‐
85 val between two -- MARK -- lines is 20 minutes. This can be
86 changed with this option. Setting the interval to zero turns it
87 off entirely.
88
89 -n Avoid auto-backgrounding. This is needed especially if the sys‐
90 logd is started and controlled by init(8).
91
92 -p socket
93 You can specify an alternative unix domain socket instead of
94 /dev/log.
95
96 -r This option will enable the facility to receive message from the
97 network using an internet domain socket with the syslog service
98 (see services(5)). The default is to not receive any messages
99 from the network.
100
101 This option is introduced in version 1.3 of the sysklogd pack‐
102 age. Please note that the default behavior is the opposite of
103 how older versions behave, so you might have to turn this on.
104
105 -s domainlist
106 Specify a domainname that should be stripped off before logging.
107 Multiple domains may be specified using the colon (``:'') sepa‐
108 rator. Please be advised that no sub-domains may be specified
109 but only entire domains. For example if -s north.de is speci‐
110 fied and the host logging resolves to satu.infodrom.north.de no
111 domain would be cut, you will have to specify two domains like:
112 -s north.de:infodrom.north.de.
113
114 -S Verbose logging. If specified once, the numeric facility and
115 priority are logged with each locally-written message. If speci‐
116 fied more than once, the names of the facility and priority are
117 logged with each locally-written message.
118
119 -D dispatcher
120 The syslogd daemon will start up a dispatcher program and open
121 standard input to the socketpair used to pass events. So, the
122 dispatcher only needs to read stdin. Because IPC communication
123 buffers have a limited size, it must read the events as fast as
124 possible. The syslogd send SIGTERM to indicate that the dis‐
125 patcher should exit.
126
127 -v Print version and exit.
128
129 -x Disable name lookups when receiving remote messages. This
130 avoids deadlocks when the nameserver is running on the same
131 machine that runs the syslog daemon.
132
134 Syslogd reacts to a set of signals. You may easily send a signal to
135 syslogd using the following:
136
137 kill -SIGNAL `cat /var/run/syslogd.pid`
138
139 SIGHUP This lets syslogd perform a re-initialization. All open files
140 are closed, the configuration file (default is /etc/syslog.conf)
141 will be reread and the syslog(3) facility is started again.
142
143 SIGTERM
144 The syslogd will die.
145
146 SIGINT, SIGQUIT
147 If debugging is enabled these are ignored, otherwise syslogd
148 will die.
149
150 SIGUSR1
151 Switch debugging on/off. This option can only be used if sys‐
152 logd is started with the -d debug option.
153
154 SIGCHLD
155 Wait for childs if some were born, because of wall'ing messages.
156
158 Syslogd uses a slightly different syntax for its configuration file
159 than the original BSD sources. Originally all messages of a specific
160 priority and above were forwarded to the log file.
161
162 For example the following line caused ALL output from daemons
163 using the daemon facilities (debug is the lowest priority, so
164 every higher will also match) to go into /usr/adm/daemons:
165
166 # Sample syslog.conf
167 daemon.debug /usr/adm/daemons
168
169 Under the new scheme this behavior remains the same. The difference is
170 the addition of four new specifiers, the asterisk (*) wildcard, the
171 equation sign (=), the exclamation mark (!), and the minus sign (-).
172
173 The * specifies that all messages for the specified facility are to be
174 directed to the destination. Note that this behavior is degenerate
175 with specifying a priority level of debug. Users have indicated that
176 the asterisk notation is more intuitive.
177
178 The = wildcard is used to restrict logging to the specified priority
179 class. This allows, for example, routing only debug messages to a par‐
180 ticular logging source.
181
182 For example the following line in syslog.conf would direct debug
183 messages from all sources to the /usr/adm/debug file.
184
185 # Sample syslog.conf
186 *.=debug /usr/adm/debug
187
188 The ! is used to exclude logging of the specified priorities. This
189 affects all (!) possibilities of specifying priorities.
190
191 For example the following lines would log all messages of the
192 facility mail except those with the priority info to the
193 /usr/adm/mail file. And all messages from news.info (including)
194 to news.crit (excluding) would be logged to the /usr/adm/news
195 file.
196
197 # Sample syslog.conf
198 mail.*;mail.!=info /usr/adm/mail
199 news.info;news.!crit /usr/adm/news
200
201 You may use it intuitively as an exception specifier. The above men‐
202 tioned interpretation is simply inverted. Doing that you may use
203
204 mail.none
205 or
206 mail.!*
207 or
208 mail.!debug
209
210 to skip every message that comes with a mail facility. There is much
211 room to play with it. :-)
212
213 The - may only be used to prefix a filename if you want to omit
214 sync'ing the file after every write to it.
215
216 This may take some acclimatization for those individuals used to the
217 pure BSD behavior but testers have indicated that this syntax is some‐
218 what more flexible than the BSD behavior. Note that these changes
219 should not affect standard syslog.conf(5) files. You must specifically
220 modify the configuration files to obtain the enhanced behavior.
221
223 These modifications provide network support to the syslogd facility.
224 Network support means that messages can be forwarded from one node run‐
225 ning syslogd to another node running syslogd where they will be actu‐
226 ally logged to a disk file.
227
228 To enable this you have to specify the -r option on the command line.
229 The default behavior is that syslogd won't listen to the network.
230
231 The strategy is to have syslogd listen on a unix domain socket for
232 locally generated log messages. This behavior will allow syslogd to
233 inter-operate with the syslog found in the standard C library. At the
234 same time syslogd listens on the standard syslog port for messages for‐
235 warded from other hosts. To have this work correctly the services(5)
236 files (typically found in /etc) must have the following entry:
237
238 syslog 514/udp
239
240 If this entry is missing syslogd neither can receive remote messages
241 nor send them, because the UDP port cant be opened. Instead syslogd
242 will die immediately, blowing out an error message.
243
244 To cause messages to be forwarded to another host replace the normal
245 file line in the syslog.conf file with the name of the host to which
246 the messages is to be sent prepended with an @.
247
248 For example, to forward ALL messages to a remote host use the
249 following syslog.conf entry:
250
251 # Sample syslogd configuration file to
252 # messages to a remote host forward all.
253 *.* @hostname
254
255 To forward all kernel messages to a remote host the configura‐
256 tion file would be as follows:
257
258 # Sample configuration file to forward all kernel
259 # messages to a remote host.
260 kern.* @hostname
261
262 If the remote hostname cannot be resolved at startup, because the name-
263 server might not be accessible (it may be started after syslogd) you
264 don't have to worry. Syslogd will retry to resolve the name ten times
265 and then complain. Another possibility to avoid this is to place the
266 hostname in /etc/hosts.
267
268 With normal syslogds you would get syslog-loops if you send out mes‐
269 sages that were received from a remote host to the same host (or more
270 complicated to a third host that sends it back to the first one, and so
271 on). In my domain (Infodrom Oldenburg) we accidently got one and our
272 disks filled up with the same single message. :-(
273
274 To avoid this in further times no messages that were received from a
275 remote host are sent out to another (or the same) remote host anymore.
276 If there are scenarios where this doesn't make sense, please drop me
277 (Joey) a line.
278
279 If the remote host is located in the same domain as the host, syslogd
280 is running on, only the simple hostname will be logged instead of the
281 whole fqdn.
282
283 In a local network you may provide a central log server to have all the
284 important information kept on one machine. If the network consists of
285 different domains you don't have to complain about logging fully quali‐
286 fied names instead of simple hostnames. You may want to use the strip-
287 domain feature -s of this server. You can tell the syslogd to strip
288 off several domains other than the one the server is located in and
289 only log simple hostnames.
290
291 Using the -l option there's also a possibility to define single hosts
292 as local machines. This, too, results in logging only their simple
293 hostnames and not the fqdns.
294
295 The UDP socket used to forward messages to remote hosts or to receive
296 messages from them is only opened when it is needed. In releases prior
297 to 1.3-23 it was opened every time but not opened for reading or for‐
298 warding respectively.
299
300
302 This version of syslogd has support for logging output to named pipes
303 (fifos). A fifo or named pipe can be used as a destination for log
304 messages by prepending a pipy symbol (``|'') to the name of the file.
305 This is handy for debugging. Note that the fifo must be created with
306 the mkfifo command before syslogd is started.
307
308 The following configuration file routes debug messages from the
309 kernel to a fifo:
310
311 # Sample configuration to route kernel debugging
312 # messages ONLY to /usr/adm/debug which is a
313 # named pipe.
314 kern.=debug |/usr/adm/debug
315
317 If you run syslogd with the -D option, you can route your messages to
318 dispatcher process. To specify messages, which go to dispatcher, you
319 use "!dispatcher" directive.
320
321 Following configuration routes info messages to a dispatcher
322 process:
323
324 *.info !dispatcher
325
327 There is probably one important consideration when installing this ver‐
328 sion of syslogd. This version of syslogd is dependent on proper for‐
329 matting of messages by the syslog function. The functioning of the
330 syslog function in the shared libraries changed somewhere in the region
331 of libc.so.4.[2-4].n. The specific change was to null-terminate the
332 message before transmitting it to the /dev/log socket. Proper func‐
333 tioning of this version of syslogd is dependent on null-termination of
334 the message.
335
336 This problem will typically manifest itself if old statically linked
337 binaries are being used on the system. Binaries using old versions of
338 the syslog function will cause empty lines to be logged followed by the
339 message with the first character in the message removed. Relinking
340 these binaries to newer versions of the shared libraries will correct
341 this problem.
342
343 Both the syslogd(8) and the klogd(8) can either be run from init(8) or
344 started as part of the rc.* sequence. If it is started from init the
345 option -n must be set, otherwise you'll get tons of syslog daemons
346 started. This is because init(8) depends on the process ID.
347
349 There is the potential for the syslogd daemon to be used as a conduit
350 for a denial of service attack. Thanks go to John Morrison (jmor‐
351 riso@rflab.ee.ubc.ca) for alerting me to this potential. A rogue pro‐
352 gram(mer) could very easily flood the syslogd daemon with syslog mes‐
353 sages resulting in the log files consuming all the remaining space on
354 the filesystem. Activating logging over the inet domain sockets will
355 of course expose a system to risks outside of programs or individuals
356 on the local machine.
357
358 There are a number of methods of protecting a machine:
359
360 1. Implement kernel firewalling to limit which hosts or networks
361 have access to the 514/UDP socket.
362
363 2. Logging can be directed to an isolated or non-root filesystem
364 which, if filled, will not impair the machine.
365
366 3. The ext2 filesystem can be used which can be configured to limit
367 a certain percentage of a filesystem to usage by root only.
368 NOTE that this will require syslogd to be run as a non-root
369 process. ALSO NOTE that this will prevent usage of remote log‐
370 ging since syslogd will be unable to bind to the 514/UDP socket.
371
372 4. Disabling inet domain sockets will limit risk to the local
373 machine.
374
375 5. Use step 4 and if the problem persists and is not secondary to a
376 rogue program/daemon get a 3.5 ft (approx. 1 meter) length of
377 sucker rod* and have a chat with the user in question.
378
379 Sucker rod def. — 3/4, 7/8 or 1in. hardened steel rod, male
380 threaded on each end. Primary use in the oil industry in West‐
381 ern North Dakota and other locations to pump 'suck' oil from oil
382 wells. Secondary uses are for the construction of cattle feed
383 lots and for dealing with the occasional recalcitrant or bel‐
384 ligerent individual.
385
387 When debugging is turned on using -d option then syslogd will be very
388 verbose by writing much of what it does on stdout. Whenever the con‐
389 figuration file is reread and re-parsed you'll see a tabular, corre‐
390 sponding to the internal data structure. This tabular consists of four
391 fields:
392
393 number This field contains a serial number starting by zero. This num‐
394 ber represents the position in the internal data structure (i.e.
395 the array). If one number is left out then there might be an
396 error in the corresponding line in /etc/syslog.conf.
397
398 pattern
399 This field is tricky and represents the internal structure
400 exactly. Every column stands for a facility (refer to sys‐
401 log(3)). As you can see, there are still some facilities left
402 free for former use, only the left most are used. Every field
403 in a column represents the priorities (refer to syslog(3)).
404
405 action This field describes the particular action that takes place
406 whenever a message is received that matches the pattern. Refer
407 to the syslog.conf(5) manpage for all possible actions.
408
409 arguments
410 This field shows additional arguments to the actions in the last
411 field. For file-logging this is the filename for the logfile;
412 for user-logging this is a list of users; for remote logging
413 this is the hostname of the machine to log to; for console-log‐
414 ging this is the used console; for tty-logging this is the spec‐
415 ified tty; wall has no additional arguments.
416
418 /etc/syslog.conf
419 Configuration file for syslogd. See syslog.conf(5) for exact
420 information.
421 /dev/log
422 The Unix domain socket to from where local syslog messages are
423 read.
424 /var/run/syslogd.pid
425 The file containing the process id of syslogd.
426
428 If an error occurs in one line the whole rule is ignored.
429
430 Syslogd doesn't change the filemode of opened logfiles at any stage of
431 process. If a file is created it is world readable. If you want to
432 avoid this, you have to create it and change permissions on your own.
433 This could be done in combination with rotating logfiles using the
434 savelog(8) program that is shipped in the smail 3.x distribution.
435 Remember that it might be a security hole if everybody is able to read
436 auth.* messages as these might contain passwords.
437
439 syslog.conf(5), klogd(8), logger(1), syslog(2), syslog(3), services(5),
440 savelog(8)
441
443 Syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjel‐
444 lic.com) performed the port to Linux, Martin Schulze (joey@linux.de)
445 fixed some bugs and added several new features. Klogd was originally
446 written by Steve Lord (lord@cray.com), Greg Wettstein made major
447 improvements.
448
449 Dr. Greg Wettstein
450 Enjellic Systems Development
451 Oncology Research Division Computing Facility
452 Roger Maris Cancer Center
453 Fargo, ND
454 greg@wind.enjellic.com
455
456 Stephen Tweedie
457 Department of Computer Science
458 Edinburgh University, Scotland
459 sct@dcs.ed.ac.uk
460
461 Juha Virtanen
462 jiivee@hut.fi
463
464 Shane Alderton
465 shane@ion.apana.org.au
466
467 Martin Schulze
468 Infodrom Oldenburg
469 joey@linux.de
470
471
472
473Version 1.3 12 October 1998 SYSKLOGD(8)