1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" from: @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 29.\" $OpenBSD: syslog.conf.5,v 1.19 2004/07/03 05:32:18 djm Exp $ 30.\" $NetBSD: syslog.conf.5,v 1.4 1996/01/02 17:41:46 perry Exp $ 31.\" 32.Dd June 9, 1993 33.Dt SYSLOG.CONF 5 34.Os 35.Sh NAME 36.Nm syslog.conf 37.Nd 38.Xr syslogd 8 39configuration file 40.Sh DESCRIPTION 41The 42.Nm syslog.conf 43file is the configuration file for the 44.Xr syslogd 8 45program. 46It consists of blocks of lines separated by 47.Em program 48specifications, with each line containing two fields: the 49.Em selector 50field which specifies the types of messages and priorities to which the 51line applies, and an 52.Em action 53field which specifies the action to be taken if a message 54.Xr syslogd 55receives matches the selection criteria. 56The 57.Em selector 58field is separated from the 59.Em action 60field by one or more tab characters. 61.Pp 62The 63.Em selectors 64function 65is encoded as a 66.Em facility , 67a period 68.Pq Ql \&. , 69and a 70.Em level , 71with no intervening whitespace. 72Both the 73.Em facility 74and the 75.Em level 76are case insensitive. 77.Pp 78The 79.Em facility 80describes the part of the system generating the message, and is one of 81the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, 82mark, news, syslog, user, uucp and local0 through local7. 83These keywords (with the exception of mark) correspond to the 84similar 85.Dq Dv LOG_ 86values specified to the 87.Xr openlog 3 88and 89.Xr syslog 3 90library routines. 91.Pp 92The 93.Em level 94describes the severity of the message, and is a keyword from the 95following ordered list (highest to lowest): emerg, alert, crit, err, 96warning, notice, info and debug. 97These keywords correspond to the 98similar 99.Pq Dv LOG_ 100values specified to the 101.Xr syslog 102library routine. 103.Pp 104Each block of lines is separated from the previous block by a tag. 105The tag is a line beginning with 106.Em !prog 107and each block will be associated with calls to syslog from that specific 108program. 109When a message matches multiple blocks, the action of each matching 110block is taken. 111If no tag is specified at the beginning of the file, 112every line is checked for a match and acted upon 113.Pq at least until a tag is found . 114.Pp 115.Em !!prog 116causes the subsequent block to abort evaluation when a message matches, 117ensuring that only a single set of actions is taken. 118.Em !*\& 119can be used to ensure that any ensuing blocks are further evaluated 120(i.e. cancelling the effect of a 121.Em !prog 122or 123.Em !!prog ) . 124.Pp 125See 126.Xr syslog 3 127for further descriptions of both the 128.Em facility 129and 130.Em level 131keywords and their significance. 132It's preferred that selections be made on 133.Em facility 134rather than 135.Em program , 136since the latter can easily vary in a networked environment. 137In some cases, though, an appropriate 138.Em facility 139simply doesn't exist. 140.Pp 141If a received message matches the specified 142.Em facility 143and is of the specified 144.Em level 145.Pq Em or a higher level , 146and the first word in the message after the date matches the 147.Em program , 148the action specified in the 149.Em action 150field will be taken. 151.Pp 152Multiple 153.Em selectors 154may be specified for a single 155.Em action 156by separating them with semicolon 157.Pq Ql \&; 158characters. 159It is important to note, however, that each 160.Em selector 161can modify the ones preceding it. 162.Pp 163Multiple 164.Em facilities 165may be specified for a single 166.Em level 167by separating them with comma 168.Pq Ql \&, 169characters. 170.Pp 171An asterisk 172.Pq Ql * 173can be used to specify all 174.Em facilities , 175all 176.Em levels 177or all 178.Em programs . 179.Pp 180The special 181.Em facility 182.Dq mark 183receives a message at priority 184.Dq info 185every 20 minutes (see 186.Xr syslogd 8 ) . 187This is not enabled by a 188.Em facility 189field containing an asterisk. 190.Pp 191The special 192.Em level 193.Dq none 194disables a particular 195.Em facility . 196.Pp 197The 198.Em action 199field of each line specifies the action to be taken when the 200.Em selector 201field selects a message. 202There are five forms: 203.Bl -bullet 204.It 205A pathname (beginning with a leading slash). 206Selected messages are appended to the file. 207.It 208A hostname (preceded by an at 209.Pq Ql @ 210sign). 211Selected messages are forwarded to the 212.Xr syslogd 213program on the named host. 214A port number may be optionally specified using the 215.Ar host:port 216syntax. 217.It 218A comma separated list of users. 219Selected messages are written to those users 220if they are logged in. 221.It 222An asterisk. 223Selected messages are written to all logged-in users. 224.It 225A colon, followed by a memory buffer size 226.Pq in kilobytes , 227followed by another colon, followed by a buffer name. 228Selected messages are written to an in-memory buffer that may be read using 229.Xr syslogc 8 . 230Memory buffered logging is useful to provide access to log data on devices 231that lack local storage (e.g. diskless workstations or routers). 232The largest allowed buffer size is 256kb. 233.El 234.Pp 235Blank lines and lines whose first non-blank character is a hash 236.Pq Ql # 237character are ignored. 238.Sh FILES 239.Bl -tag -width /etc/syslog.conf -compact 240.It Pa /etc/syslog.conf 241The 242.Xr syslogd 8 243configuration file. 244.El 245.Sh EXAMPLES 246A configuration file might appear as follows: 247.Bd -literal 248# Log info (and higher) messages from spamd only to 249# a dedicated file, discarding debug messages. 250# Matching messages abort evaluation of further rules. 251!!spamd 252daemon.info /var/log/spamd 253daemon.debug /dev/null 254!* 255 256# Log all kernel messages, authentication messages of 257# level notice or higher and anything of level err or 258# higher to the console. 259# Don't log private authentication messages! 260*.err;kern.*;auth.notice;authpriv.none /dev/console 261 262# Log anything (except mail) of level info or higher. 263# Don't log private authentication messages! 264*.info;mail.none;authpriv.none /var/log/messages 265 266# The authpriv file has restricted access. 267authpriv.* /var/log/secure 268 269# Log all the mail messages in one place. 270mail.* /var/log/maillog 271 272# Everybody gets emergency messages, plus log them on another 273# machine. 274*.emerg * 275*.emerg @arpa.berkeley.edu 276 277# Root and Eric get alert and higher messages. 278*.alert root,eric 279 280# Save mail and news errors of level err and higher in a 281# special file. 282mail,news.err /var/log/spoolerr 283 284# Save ftpd transactions along with mail and news 285!ftpd 286*.* /var/log/spoolerr 287 288# Keep a copy of all logging in a 32k memory buffer named "debug" 289*.debug :32:debug 290 291# Store notices and authpriv messages in a 64k buffer named "important" 292*.notice,authpriv.* :64:important 293.Ed 294.Sh SEE ALSO 295.Xr syslog 3 , 296.Xr syslogc 8 , 297.Xr syslogd 8 298.Sh HISTORY 299The 300.Nm 301file appeared in 302.Bx 4.3 , 303along with 304.Xr syslogd 8 . 305.Sh BUGS 306The effects of multiple selectors are sometimes not intuitive. 307For example 308.Dq mail.crit;*.err 309will select 310.Dq mail 311facility messages at the level of 312.Dq err 313or higher, not at the level of 314.Dq crit 315or higher. 316