syslogd(1M) syslogd(1M)
syslogd - log systems messages
/usr/etc/syslogd [ -fconfigfile ] [ -mmarkinterval ] [ -plogpipe ] [ -d ]
syslogd reads and logs messages into a set of files described by the
configuration file /etc/syslog.conf. Each message is one line. A
message can contain a priority code, marked by a number in angle braces
at the beginning of the line. Priorities are defined in <sys/syslog.h>.
syslogd reads from the stream device /dev/log, from an Internet domain
socket specified in /etc/services, and from the special device /dev/klog
(to read kernel messages).
syslogd reads its configuration when it starts up and whenever it
receives a hangup signal. Lines in the configuration file have a
selector to determine the message priorities to which the line applies
and an action. The action fields are separated from the selector by one
or more tabs. A maximum of 50 lines can be specified. It is recommended
that no more than 49 be used, or the LOG_LFMT facility may not work
correctly; this facility is used by login(1), among other programs.
Selectors are semicolon separated lists of priority specifiers. Each
priority has a facility describing the part of the system that generated
the message, a dot, and a level indicating the severity of the message.
Symbolic names can be used. An asterisk (*) selects all facilities,
while debug selects all levels. All messages of the specified level or
higher (greater severity) are selected. More than one facility can be
selected, using commas to separate them. For example:
*.emerg;mail,daemon.crit
selects all facilities at the emerg level and the mail and daemon
facilities at the crit level.
Known facilities and levels recognized by syslogd are those listed in
syslog(3C) without the leading LOG_. The additional facility mark logs
messages at priority LOG_INFO every 20 minutes (this interval can be
changed with the -m flag). The mark facility is not enabled by a
facility field containing an asterisk. The level none can be used to
disable a particular facility. For example:
*.debug;mail.none
sends all messages except mail messages to the selected file.
The second part of each line describes where the message is to be logged
if this line is selected. There are five forms:
Page 1
syslogd(1M) syslogd(1M)
o A filename (beginning with a leading slash). The file is opened in
append mode.
o A hostname preceded by an at sign (@). Selected messages are
forwarded to the syslogd on the named host.
o A comma-separated list of users. Selected messages are written to
those users if they are logged in.
o An asterisk. Selected messages are written to all logged-in users.
o A |, followed immediately by a program name, which is taken to be all
chars after the | up to the next tab; at least one action must follow
the tab. The filter is expected to read stdin and write the filtered
response to stdout. The filter receives the source and message
through stdin. A filter can also access the priority, facility, and
hostname via environmental variables: PRIORITY, FACILITY, and FROM.
The values are stored as strings defined in <sys/syslog.h>. If the
filter exits with a non-zero value, the original message is logged, as
well as a message that the filter failed. The filter has a limited
time (currently eight seconds) to process the message. If the filter
exits with status 0 without writing any data, no message is logged.
The data to be read by the filter is not terminated with a newline,
nor should the data written have a newline appended. See below for a
sample filter.
Blank lines and lines beginning with # are ignored.
For example, the configuration file:
kern.debug |/usr/sbin/klogpp /var/adm/SYSLOG
kern.debug |/usr/sbin/klogpp /dev/console
user,mail,daemon,auth,syslog,lpr.debug /var/adm/SYSLOG
kern.err @ginger
*.emerg *
*.alert eric,beth
*.alert;auth.warning ralph
filters all kernel messages through klogpp(1M) and writes them to the
system console and into /var/adm/SYSLOG and logs debug (or higher) level
messages into the file /var/adm/SYSLOG. Kernel messages of error
severity or higher are forwarded to ginger. All users are informed of
any emergency messages. The users eric and beth are informed of any
alert messages. The user ralph is informed of any alert message or any
warning message (or higher) from the authorization system.
syslogd is started at system initialization from /etc/init.d/sysetup.
Optional site-specific flags belong in /etc/config/syslogd.options. The
flags are:
Page 2
syslogd(1M) syslogd(1M)
-fconfigfile Specify an alternate configuration file.
-mmarkinterval Select the number of minutes between mark messages.
-d Turn on debugging. syslogd runs in the foreground and
writes debugging information to stdout.
-plogpipe Use the given name for the device instead of /dev/log.
syslogd rereads its configuration file when it receives a hangup signal,
SIGHUP. To bring syslogd down, send it a terminate signal (for example,
killall -TERM syslogd).
SECURITY CONSIDERATIONS [Toc] [Back] syslogd creates log files in mode 644 which allows general read access.
If the log file already exists, its permissions are unchanged. The
system administrator may wish to create separate log files with more
restricted permissions for sensitive information such as LOG_AUTH
messages. Scripts or cron(1M) jobs that roll (that is save and restart
with a new file) these sensitive log files should ensure that the new log
file has the desired permissions.
This example shows how to use the filter mechanism. To have ftpd(1M)
messages logged in a different file, add the following line to
/etc/syslog.conf:
daemon,auth.debug |/var/adm/ftpd.filt /var/adm/ftpd.log
The /var/adm/ftpd.filt file is a shell script:
#!/bin/sh
# This filter only accepts ftpd messages
read line
set $line
case "$1" {
ftpd\[*)
echo "$line\c"
exit 0
;;
}
exit 0
MESSAGE EXAMPLE
The following is an example line from the /var/adm/SYSLOG file:
Aug 10 10:32:53 6F:sgihost syslogd: restart
Each line has several parts. The date and time of the message are listed
first, followed by a priority and facility code. Priorities are listed
as 0-7 and facilities are listed as A-T. Reference <sys/syslog.h>. The
Page 3
syslogd(1M) syslogd(1M)
source is the name of the program that generated the message. Following
the source is the message itself.
/etc/syslog.conf default configuration file
/dev/log device read by syslogd
/dev/klog the kernel log device
/usr/sbin/klogpp filter for kernel messages
/etc/config/syslogd.options command-line flags used at system startup
logger(1), sysmon(1M), syslog(3C).
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 4�4�4�4 [ Back ]
|
