1.\" Copyright (c) 1990, 1991, 1993
2.\" The Regents of the University of California. All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\" notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\" notice, this list of conditions and the following disclaimer in the
11.\" documentation and/or other materials provided with the distribution.
12.\" 3. All advertising materials mentioning features or use of this software
13.\" must display the following acknowledgement:
14.\" This product includes software developed by the University of
15.\" California, Berkeley and its contributors.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
33.\"
34.Dd June 9, 1993
35.Dt SYSLOG.CONF 5
36.Os
37.Sh NAME
38.Nm syslog.conf
39.Nd
40.Xr syslogd 8
41configuration file
42.Sh DESCRIPTION
43The
44.Nm syslog.conf
45file is the configuration file for the
46.Xr syslogd 8
47program.
48It consists of
49blocks of lines separated by
50.Em program
51specifications,
52with each line containing two fields: the
53.Em selector
54field which specifies the types of messages and priorities to which the
55line applies, and an
56.Em action
57field which specifies the action to be taken if a message
58.Xr syslogd
59receives matches the selection criteria.
60The
61.Em selector
62field is separated from the
63.Em action
64field by one or more tab characters.
65.Pp
66The
67.Em Selectors
68function
69are encoded as a
70.Em facility ,
71a period (``.''), and a
72.Em level ,
73with no intervening white-space.
74Both the
75.Em facility
76and the
77.Em level
78are case insensitive.
79.Pp
80The
81.Em facility
82describes the part of the system generating the message, and is one of
83the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail,
84mark, news, syslog, user, uucp and local0 through local7.
85These keywords (with the exception of mark) correspond to the
86similar
87.Dq Dv LOG_
88values specified to the
89.Xr openlog 3
90and
91.Xr syslog 3
92library routines.
93.Pp
94The
95.Em level
96describes the severity of the message, and is a keyword from the
97following ordered list (higher to lower): emerg, alert, crit, err,
98warning, notice, info and debug.
99These keywords correspond to the
100similar
101.Pq Dv LOG_
102values specified to the
103.Xr syslog
104library routine.
105.Pp
106Each block of lines is separated from the previous block by a tag. The tag
107is a line beginning with
108.Em #!prog
109or
110.Em !prog
111(the former is for compatibility with the previous syslogd, if one is sharing
112syslog.conf files, for example)
113and each block will be associated with calls to syslog from that specific
114program.
115.Pp
116See
117.Xr syslog 3
118for a further descriptions of both the
119.Em facility
120and
121.Em level
122keywords and their significance. It's preferred that selections be made on
123.Em facility
124rather than
125.Em program ,
126since the latter can easily vary in a networked environment. In some cases,
127though, an appropriate
128.Em facility
129simply doesn't exist (for example,
130.Em ftpd
131logs under LOG_DAEMON along with a myriad other programs).
132.Pp
133If a received message matches the specified
134.Em facility
135and is of the specified
136.Em level
137.Em (or a higher level) ,
138and the first word in the message after the date matches the
139.Em program ,
140the action specified in the
141.Em action
142field will be taken.
143.Pp
144Multiple
145.Em selectors
146may be specified for a single
147.Em action
148by separating them with semicolon (``;'') characters.
149It is important to note, however, that each
150.Em selector
151can modify the ones preceding it.
152.Pp
153Multiple
154.Em facilities
155may be specified for a single
156.Em level
157by separating them with comma (``,'') characters.
158.Pp
159An asterisk (``*'') can be used to specify all
160.Em facilities
161all
162.Em levels
163or all
164.Em programs .
165.Pp
166The special
167.Em facility
168``mark'' receives a message at priority ``info'' every 20 minutes
169(see
170.Xr syslogd 8 ) .
171This is not enabled by a
172.Em facility
173field containing an asterisk.
174.Pp
175The special
176.Em level
177``none'' disables a particular
178.Em facility .
179.Pp
180The
181.Em action
182field of each line specifies the action to be taken when the
183.Em selector
184field selects a message.
185There are five forms:
186.Bl -bullet
187.It
188A pathname (beginning with a leading slash).
189Selected messages are appended to the file.
190.It
191A hostname (preceded by an at (``@'') sign).
192Selected messages are forwarded to the
193.Xr syslogd
194program on the named host.
195.It
196A comma separated list of users.
197Selected messages are written to those users
198if they are logged in.
199.It
200An asterisk.
201Selected messages are written to all logged-in users.
202.It
203A vertical bar (``|''), followed by a command to pipe the selected
204messages to. The command is passed to a
205.Pa /bin/sh
206for evaluation, so usual shell metacharacters or input/output
207redirection can occur. (Note however that redirecting
208.Xr stdio 3
209buffered output from the invoked command can cause additional delays,
210or even lost output data in case a logging subprocess exited with a
211signal.) The command itself runs with
212.Em stdout
213and
214.Em stderr
215redirected to
216.Pa /dev/null .
217Upon receipt of a
218.Dv SIGHUP ,
219.Nm syslogd
220will close the pipe to the process. If the process didn't exit
221voluntarily, it will be sent a
222.Dv SIGTERM
223signal after a grace period of up to 40 seconds.
224.Pp
225The command will only be started once data arrives that should be piped
226to it. If it exited later, it will be restarted as necessary.
227.Pp
228Unless the command is a full pipeline, it's probably useful to
229start the command with
230.Em exec
231so that the invoking shell process does not wait for the command to
232complete. Warning: the process is started under the UID invoking
233.Xr syslogd 8 ,
234normally the superuser.
235.El
236.Pp
237Blank lines and lines whose first non-blank character is a hash (``#'')
238character are ignored.
239.Sh EXAMPLES
240.Pp
241A configuration file might appear as follows:
242.Bd -literal
243# Log all kernel messages, authentication messages of
244# level notice or higher and anything of level err or
245# higher to the console.
246# Don't log private authentication messages!
247*.err;kern.*;auth.notice;authpriv.none /dev/console
248
249# Log anything (except mail) of level info or higher.
250# Don't log private authentication messages!
251*.info;mail.none;authpriv.none /var/log/messages
252
253# The authpriv file has restricted access.
254authpriv.* /var/log/secure
255
256# Log all the mail messages in one place.
257mail.* /var/log/maillog
258
259# Everybody gets emergency messages, plus log them on another
260# machine.
261*.emerg *
262*.emerg @arpa.berkeley.edu
263
264# Root and Eric get alert and higher messages.
265*.alert root,eric
266
267# Save mail and news errors of level err and higher in a
268# special file.
269uucp,news.crit /var/log/spoolerr
270
271# Pipe all authentication messages to a filter.
272auth.* |exec /usr/local/sbin/authfilter
273
274# Save ftpd transactions along with mail and news
275!ftpd
276*.* /var/log/spoolerr
277.Ed
278.Sh FILES
279.Bl -tag -width /etc/syslog.conf -compact
280.It Pa /etc/syslog.conf
281The
282.Xr syslogd 8
283configuration file.
284.El
285.Sh BUGS
286The effects of multiple selectors are sometimes not intuitive.
287For example ``mail.crit,*.err'' will select ``mail'' facility messages at
288the level of ``err'' or higher, not at the level of ``crit'' or higher.
289.Sh SEE ALSO
290.Xr syslog 3 ,
291.Xr syslogd 8
2.\" The Regents of the University of California. All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\" notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\" notice, this list of conditions and the following disclaimer in the
11.\" documentation and/or other materials provided with the distribution.
12.\" 3. All advertising materials mentioning features or use of this software
13.\" must display the following acknowledgement:
14.\" This product includes software developed by the University of
15.\" California, Berkeley and its contributors.
16.\" 4. Neither the name of the University nor the names of its contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93
33.\"
34.Dd June 9, 1993
35.Dt SYSLOG.CONF 5
36.Os
37.Sh NAME
38.Nm syslog.conf
39.Nd
40.Xr syslogd 8
41configuration file
42.Sh DESCRIPTION
43The
44.Nm syslog.conf
45file is the configuration file for the
46.Xr syslogd 8
47program.
48It consists of
49blocks of lines separated by
50.Em program
51specifications,
52with each line containing two fields: the
53.Em selector
54field which specifies the types of messages and priorities to which the
55line applies, and an
56.Em action
57field which specifies the action to be taken if a message
58.Xr syslogd
59receives matches the selection criteria.
60The
61.Em selector
62field is separated from the
63.Em action
64field by one or more tab characters.
65.Pp
66The
67.Em Selectors
68function
69are encoded as a
70.Em facility ,
71a period (``.''), and a
72.Em level ,
73with no intervening white-space.
74Both the
75.Em facility
76and the
77.Em level
78are case insensitive.
79.Pp
80The
81.Em facility
82describes the part of the system generating the message, and is one of
83the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail,
84mark, news, syslog, user, uucp and local0 through local7.
85These keywords (with the exception of mark) correspond to the
86similar
87.Dq Dv LOG_
88values specified to the
89.Xr openlog 3
90and
91.Xr syslog 3
92library routines.
93.Pp
94The
95.Em level
96describes the severity of the message, and is a keyword from the
97following ordered list (higher to lower): emerg, alert, crit, err,
98warning, notice, info and debug.
99These keywords correspond to the
100similar
101.Pq Dv LOG_
102values specified to the
103.Xr syslog
104library routine.
105.Pp
106Each block of lines is separated from the previous block by a tag. The tag
107is a line beginning with
108.Em #!prog
109or
110.Em !prog
111(the former is for compatibility with the previous syslogd, if one is sharing
112syslog.conf files, for example)
113and each block will be associated with calls to syslog from that specific
114program.
115.Pp
116See
117.Xr syslog 3
118for a further descriptions of both the
119.Em facility
120and
121.Em level
122keywords and their significance. It's preferred that selections be made on
123.Em facility
124rather than
125.Em program ,
126since the latter can easily vary in a networked environment. In some cases,
127though, an appropriate
128.Em facility
129simply doesn't exist (for example,
130.Em ftpd
131logs under LOG_DAEMON along with a myriad other programs).
132.Pp
133If a received message matches the specified
134.Em facility
135and is of the specified
136.Em level
137.Em (or a higher level) ,
138and the first word in the message after the date matches the
139.Em program ,
140the action specified in the
141.Em action
142field will be taken.
143.Pp
144Multiple
145.Em selectors
146may be specified for a single
147.Em action
148by separating them with semicolon (``;'') characters.
149It is important to note, however, that each
150.Em selector
151can modify the ones preceding it.
152.Pp
153Multiple
154.Em facilities
155may be specified for a single
156.Em level
157by separating them with comma (``,'') characters.
158.Pp
159An asterisk (``*'') can be used to specify all
160.Em facilities
161all
162.Em levels
163or all
164.Em programs .
165.Pp
166The special
167.Em facility
168``mark'' receives a message at priority ``info'' every 20 minutes
169(see
170.Xr syslogd 8 ) .
171This is not enabled by a
172.Em facility
173field containing an asterisk.
174.Pp
175The special
176.Em level
177``none'' disables a particular
178.Em facility .
179.Pp
180The
181.Em action
182field of each line specifies the action to be taken when the
183.Em selector
184field selects a message.
185There are five forms:
186.Bl -bullet
187.It
188A pathname (beginning with a leading slash).
189Selected messages are appended to the file.
190.It
191A hostname (preceded by an at (``@'') sign).
192Selected messages are forwarded to the
193.Xr syslogd
194program on the named host.
195.It
196A comma separated list of users.
197Selected messages are written to those users
198if they are logged in.
199.It
200An asterisk.
201Selected messages are written to all logged-in users.
202.It
203A vertical bar (``|''), followed by a command to pipe the selected
204messages to. The command is passed to a
205.Pa /bin/sh
206for evaluation, so usual shell metacharacters or input/output
207redirection can occur. (Note however that redirecting
208.Xr stdio 3
209buffered output from the invoked command can cause additional delays,
210or even lost output data in case a logging subprocess exited with a
211signal.) The command itself runs with
212.Em stdout
213and
214.Em stderr
215redirected to
216.Pa /dev/null .
217Upon receipt of a
218.Dv SIGHUP ,
219.Nm syslogd
220will close the pipe to the process. If the process didn't exit
221voluntarily, it will be sent a
222.Dv SIGTERM
223signal after a grace period of up to 40 seconds.
224.Pp
225The command will only be started once data arrives that should be piped
226to it. If it exited later, it will be restarted as necessary.
227.Pp
228Unless the command is a full pipeline, it's probably useful to
229start the command with
230.Em exec
231so that the invoking shell process does not wait for the command to
232complete. Warning: the process is started under the UID invoking
233.Xr syslogd 8 ,
234normally the superuser.
235.El
236.Pp
237Blank lines and lines whose first non-blank character is a hash (``#'')
238character are ignored.
239.Sh EXAMPLES
240.Pp
241A configuration file might appear as follows:
242.Bd -literal
243# Log all kernel messages, authentication messages of
244# level notice or higher and anything of level err or
245# higher to the console.
246# Don't log private authentication messages!
247*.err;kern.*;auth.notice;authpriv.none /dev/console
248
249# Log anything (except mail) of level info or higher.
250# Don't log private authentication messages!
251*.info;mail.none;authpriv.none /var/log/messages
252
253# The authpriv file has restricted access.
254authpriv.* /var/log/secure
255
256# Log all the mail messages in one place.
257mail.* /var/log/maillog
258
259# Everybody gets emergency messages, plus log them on another
260# machine.
261*.emerg *
262*.emerg @arpa.berkeley.edu
263
264# Root and Eric get alert and higher messages.
265*.alert root,eric
266
267# Save mail and news errors of level err and higher in a
268# special file.
269uucp,news.crit /var/log/spoolerr
270
271# Pipe all authentication messages to a filter.
272auth.* |exec /usr/local/sbin/authfilter
273
274# Save ftpd transactions along with mail and news
275!ftpd
276*.* /var/log/spoolerr
277.Ed
278.Sh FILES
279.Bl -tag -width /etc/syslog.conf -compact
280.It Pa /etc/syslog.conf
281The
282.Xr syslogd 8
283configuration file.
284.El
285.Sh BUGS
286The effects of multiple selectors are sometimes not intuitive.
287For example ``mail.crit,*.err'' will select ``mail'' facility messages at
288the level of ``err'' or higher, not at the level of ``crit'' or higher.
289.Sh SEE ALSO
290.Xr syslog 3 ,
291.Xr syslogd 8