NAME

syslog.conf —

configuration file format for syslogd(8)

DESCRIPTION

The syslog.conf file is the configuration file for syslogd(8), it consists of rules for logging and controlling daemon behavior. Logging rules are blocks of lines separated by optional program, hostname, or property-based filter specifications. Each rule in such a block contains at least two fields: the selector field which specifies the types of messages and priorities to which the line applies, and an action field which specifies the action to be taken if a message syslogd(8) receives matches the selection criteria. A rule may also have an option field, e.g., to select log format.

The fields are separated by one or more tab characters or spaces. A rule may be divided into several lines if the leading line ends with a single backslash ('\') character.

PROGRAM  := !IDENT[,IDENT] 
         |= !+IDENT[,IDENT] 
	 |= !-IDENT[,IDENT] 
HOSTNAME := +IDENT[,IDENT] 
	 |= -IDENT[,IDENT] 
PROPERTY := :PROP, [PREFIX]OPERATOR, "VALUE" 
PROP     := hostname 
	 |= msg 
         |= msgid 
         |= propertyname 
         |= sd 
         |= data 
	 |= source 
OPERATOR := contains 
         |= isequal 
         |= startswith 
         |= regex 
         |= eregex 
PREFIX   := [PREFIX] 
         |= ! 
         |= icase_ 
RULE     := SELECTOR  ACTION  [;OPTION] 
SELECTOR := [SELECTOR;]facility[,facility].[!=]severity 
ACTION   := /path/to/file 
         |= |/path/to/named/pipe 
	 |= @remote[.host.tld][:PORT] 
OPTION   := [OPTION,] 
	 |= RFC3164 
	 |= RFC5424 
	 |= iface=IFNAME 
         |= rotate=ROT 
	 |= ttl=1..255 
ROT      := SIZE:COUNT 
         |= SIZE 
	 |= :COUNT 
 
udp_size 480..2048 
 
secure_mode [0,1,2] 
 
rotate_size  SIZE 
rotate_count NUMBER 
 
listen [address:port[%iface] | :port | address[%iface]] 
 
include /etc/syslog.d/*.conf 
notify  /path/to/script-on-rotate

Each block of rules is separated from the previous block by a program, hostname, or property-based filter specification. A block only logs messages corresponding to the most recent program, hostname and property-based filter specification given. Thus, a block with a ‘ppp’ program filter directly followed by another block ‘dialhost’ hostname filter will only log ppp(8) messages from dialhost. For an example, see Program and Hostname Filtering.

A program filter specification is a line starting with ‘#!prog’ or ‘!prog’ (the former is for compatibility with other syslogd implementations) and the following rules are then associated with this specification only. The ‘#!+prog’ or ‘!+prog’ specification works just like the previous one, and the ‘#!-prog’ or ‘!-prog’ specification will match any message excluding prog. Multiple programs may be listed, separated by commas: ‘!prog1,prog2’ matches messages from either program, while ‘!-prog1,prog2’ matches all messages except those from ‘prog1’ or ‘prog2’. You can reset the program specification at any time using the ‘!*’ syntax. The program specification is also reset for each included .conf file.

A hostname filter specification of the form ‘#+hostname’ or ‘+hostname’ means the following blocks will be applied to messages received from the specified hostname. Alternatively, the hostname specification ‘#-hostname’ or ‘-hostname’ causes the following blocks to be applied to messages from any host except the one(s) specified. If the hostname is given as ‘@’, the local hostname will be used. Similar to program specifications, multiple comma-separated values may be specified for hostname specifications.

A property-based filter specification is a line beginning with ‘#:’ or ‘’: and the following blocks will be applied only when filter value matches given filter properties value. See PROPERTY-BASED FILTERS section for more details. For examples, see EXAMPLES section, below.

The selector field specifies a pattern of facilities and priorities belonging to the specified action. The action details where or what to do with the selected input. The option field, which must start with the semi-colon option delimiter (';'), currently supports log formatting, log rotation, outbound interface and TTL when forwarding to a multicast group.

The default log format is the traditional RFC3164 (included here for completeness), except for remote syslog targets where the BSD format (without both timestamp and hostname) is the default. The user must explicitly set RFC3164 on a remote logging target. RFC5424 is the newest format with RFC3339 time stamps, msgid, structured data, and more. The BSD format cannot be set, it is only the default for remote targets for compatibility reasons.

BSD:: myproc[8710]: Kilroy was here.
RFC3164:: Aug 24 05:14:15 192.0.2.1 myproc[8710]: Kilroy was here.
RFC5424:: 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - Kilroy was here.

The log rotation, which is only relevant for files, details the max SIZE:COUNT a file can reach before it is rotated, and later compressed. This feature is mostly intended for embedded systems that do not want to have cron or a separate log rotate daemon. It is possible to specify only size or count, in which case the global setting covers the other. E.g., to set only the rotation count, use: rotate=:COUNT.

The ‘rotate_size SIZE’ and ‘rotate_count COUNT’ are the same as the syslogd -r SIZE:COUNT command line option. Remember, command line options take precedence over .conf file settings.

Note: the permissions of the rotated files are kept. Meaning the administrator can create all log files, before starting syslog.conf the first time, with the permissions needed for the site. However, if the log files do not exist, syslog.conf will create them with the user and group it runs as and 0644 permissions.

Forwarding of messages to another syslog server is accomplished with the ‘@’ prefix to a hostname, an IP address, or a multicast group. All IPv6 addresses must be enclosed in brackets. For multicast groups both an outbound interface and TTL can be se, per log target. By default the routing table is used (by the kernel) and the TTL defaults to 1, unlike unicast which defaults to 64.

Comments, lines starting with a hash mark ('#'), and empty lines are ignored. If an error occurs during parsing the whole line is ignored.

The ‘udp_size 480..2048’ option controls the maximum size of the UDP payload, which is the full syslog message including the header. This setting is the same as the command line option -M, which like all command line options take precedence. The default (1024 bytes) follow RFC3164. Before tweaking this, please read section 3.2 of RFC5426, it recommends 480 bytes for IPv4 and 1180 bytes for IPv6 to avoid fragmentation.

The ‘secure_mode <0-2>’ option is the same as the syslogd -s command line option. Note: again, command line option always wins, so you need to drop -s from the command line to use this .conf file option instead.

0: act as a syslog sink, listening on UDP port 514 by default, as well as support for sending to remote syslog servers
1: only support for sending to remote syslog servers, no Internet ports open
2: no Internet ports open at all, and no remote logging possible

# Example: only allow logging to remote servers 
secure_mode 1

The ‘

listen
  [address:port[%iface] |
  address[%iface] |
  :port
]

’ option is the same as the syslogd -b addr[:port][%iface] command line option. Like its counterpart it has no effect unless the ‘secure_mode’ option is disabled. Multiple listen statements are allowed and any command line directives are treated as "static" and cannot be removed or modified using the configuration file. Both unicast IP and multicast group addresses are supported, enclose IPv6 addresses in brackets. Multicast groups are "joined" using an OS-level setsockopt() call, most operating systems translate this to IGMP/MLD membership reports on the network. The optional ‘%iface’ syntax is for multicast groups, it allows joining a group on a given interface (by name). If the interface is omitted the routing table is used, which often is not desirable for multicast.

The ‘notify <PATH>’ option specifies the path to an executable program which will get called whenever a log file has been rotated, with the name of the file, less its rotation suffix ‘.0’, as an argument. For example: ‘notify /sbin/on-log-rotate.sh’. Any number of notifiers may be installed.

The ‘include <PATH/*.conf>’ option can be used to include all files with names ending in '.conf' and not beginning with a '.' contained in the directory following the keyword. This keyword can only be used in the first level configuration file. The included example /etc/syslog.conf has the following at the end:

# 
# Drop your subsystem .conf file in /etc/syslog.d/ 
# 
include /etc/syslog.d/*.conf

Note that if you use spaces as separators, your syslog.conf might be incompatible with other Unices or Unix-like systems. This functionality was added for ease of configuration (e.g. it is possible to cut-and-paste into syslog.conf), and to avoid possible mistakes. This change however preserves backwards compatibility with the old style of syslog.conf (i.e., tab characters only).

SELECTORS

The selector field consists of two parts, a facility and a priority, separated by a period ('.'). Both parts are case insensitive and can also be specified as decimal numbers corresponding to the definitions in /usr/include/syslog.h. It is safer to use symbolic names rather than decimal numbers. Both facilities and priorities are described in syslogp(3). The names mentioned below correspond to the similar ‘LOG_FOO’ values in /usr/include/syslog.h.

The facility is one of the following keywords:

Code	Facility	Description
0	kern	Kernel log messages
1	user	User-level messages
2	mail	Mail system
3	daemon	General system daemons
4	auth	Security/authorization messages
5	syslog	Messages generated by syslogd
6	lpr	Line printer subsystem
7	news	Network news subsystem
8	uucp	UNIX-to-UNIX copy
9	cron	Clock/cron daemon (BSD, Linux)
10	authpriv	Security/authorization messages (private)
11	ftp	FTP daemon
12	ntp	NTP subsystem
13	security	Log audit
14	console	Log alert
15	unused	Clock/cron daemon (Solaris)
16	local0	Reserved for local/system use
17	local1	Reserved for local/system use
18	local2	Reserved for local/system use
19	local3	Reserved for local/system use
20	local4	Reserved for local/system use
21	local5	Reserved for local/system use
22	local6	Reserved for local/system use
23	local7	Reserved for local/system use

Notice, several of the above listed facilities are not supported by the standard C library (GLIBC, musl libc, or uClibc) on Linux. libsyslog, shipped with sysklogd, however, supports all the above facilities in full. Also, the keyword ‘mark’ is only for internal use and should therefore not be used in applications. The facility specifies the subsystem that produced the message, e.g. all mail programs log with the mail facility, ‘LOG_MAIL’, if they log using syslog.

In most cases anyone can log to any facility, so we rely on convention for the correct facility to be chosen. However, generally only the kernel can log to the ‘kern’ facility. This because the implementation of openlog(3) and syslog(3) in GLIBC does not allow logging to the ‘kern’ facility.

The priority is one of the following keywords, in ascending order:

Value	Severity	Description
0	emergency	System is unusable
1	alert	Action must be taken immediately
2	critical	Critical conditions
3	error	Error conditions
4	warning	Warning conditions
5	notice	Normal but significant conditions
6	info	Informational messages
7	debug	Debug-level messages

The default log level of most applications is ‘notice’, meaning only ‘notice’ and above are forwarded to syslogd. See setlogmask(3) for more information on how to change the default log level of your application.

In addition to the above mentioned facility and priority names, syslogd(8) understands the following extensions:

*: An asterisk ('*') matches all facilities or all priorities, depending on where it is used (before or after the period).
none: The keyword ‘none’ stands for no priority of the given facility.
,: Multiple facilities may be specified for a single priority pattern in one statement using the comma (',') operator to separate the facilities. You may specify as many facilities as you want. Please note that only the facility part from such a statement is taken, a priority part would be ignored.
;: Multiple selectors may be specified for a single action using the semicolon (';') separator. Selectors are processed from left to right, with each selector being able to overwrite preceding ones. Using this behavior you are able to exclude some priorities from the pattern.
=: This version of syslogd(8) has a syntax extension to the original BSD source, which makes its use more intuitive. You may precede every priority with an equation sign ('=') to specify that only this single priority should be matched, instead of the default: this priority and all higher priorities.
!: You may also precede the priority with an exclamation mark ('!') if you want to ignore this priority and all higher priorities. You may even use both the exclamation mark and the equation sign if you want to ignore a single priority. If both extensions are used, the exclamation mark must occur before the equation sign.

ACTIONS

The action field of a rule is the destination or target for a match. It can be a file, a UNIX named pipe, the console, or a remote machine.

Regular File

Typically messages are logged to real files. The filename is specified with an absolute path name.

You may prefix each entry with a minus sign ('-') to avoid syncing the file after each log message. Note that you might lose information if the system crashes right after a write attempt. Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose manner.

Named Pipes

This version of syslogd(8) supports logging to named pipes (FIFOs). A FIFO, or named pipe, can be used as a destination for log messages by prepending a pipe symbol ('|') to the name of the file. This can be very handy for debugging. Note that the FIFO must be created with the mkfifo(1) command before syslogd is started.

Terminal and Console

If the file you specified is a tty, special tty-handling is done, same with /dev/console.

Remote Machine

Full remote logging support is available in syslogd, i.e. to send messages to a remote syslog server, and and to receive messages from remote hosts. To forward messages to another host, prepend the hostname with the at sign ('@'). If a port number is added after a colon (':') then that port will be used as the destination port rather than the usual syslog port.

This feature makes it possible to collect all syslog messages in a network on a central host. This reduces administration needs and can be really helpful when debugging distributed systems.

Using a named pipe log method, messages from remote hosts can be sent to a log program. By reading log messages line by line such a program is able to sort log messages by host name or program name on the central log host. This way it is possible to split the log into separate files.

By default messages to remote remote hosts were formatted in the original BSD style, without timestamp or hostname. As of syslogd v2.0 the default includes timestamp and hostname. It is also possible to enable the new RFC5424 style formatting, append ';RFC5424' after the hostname.

List of Users

Usually critical messages are also directed to ‘root’ on that machine. You can specify a list of users that ought to receive the log message on their terminal by writing their usernames. You may specify more than one user by separating the usernames with commas (','). Only logged in users will receive the log messages.

Everyone logged on

Emergency messages often go to all users currently online to notify them that something strange is happening with the system. To specify this wall(1) feature use an asterisk ('*').

PROPERTY-BASED FILTERS

The program and hostname specifications perform exact match filtering against explicit fields only. Property-based filters feature substring and regular expression matching, (see re_format(7)) on various message properties. Property filter specifications starts with ‘#:’ or ‘:’ followed by three comma-separated fields property, operator, "value". The value field must be double-quoted. A double quote and backslash must be escaped by a backslash.

The following properties are supported as test value:

msg: Body of the message received
msgid: Message ID. Only available for messages received in RFC5424 format
sd: Structured data. Only available for messages received in RFC5424 format
data: Alias for ‘sd’
programname: Name of program that sent the message
hostname: Hostname of message's originator
source: Alias for ‘hostname’

The operator field specifies a comparison function between a message property value against the filter's value. Possible operators are:

contains: true if the filter value is found as a substring of property
isequal: true if the filter value is equal to property
startswith: true if the message property start with the filter value
regex: true if the message property matches basic regular expression defined in the filter value
ereregex: true if the message property matches the extended regular expression defined in the filter value
eregex: alias for ‘ereregex’

An operator may be prefixed by

!: to invert compare logic
icase_: to make comparison function case-insensitive

For examples, please see the EXAMPLES section, below.

IMPLEMENTATION NOTES

The “kern” facility is usually reserved for messages generated by the local kernel. Other messages logged with facility “kern” are usually translated to facility “user”. This translation can be disabled; see syslogd(8) for details.

FILES

/etc/syslog.conf: syslogd(8) configuration file
/etc/syslog.d/*.conf: Recommended directory for .conf snippets

EXAMPLES

This section lists some examples, partially from actual site setups.

Catch Everything

This example matches all facilities and priorities and stores everything in the file /var/log/syslog in RFC5424 format. Every time the file reaches 10 MiB it is rotated and five files in total are kept, including the non-rotated file.

# Match all log messages, store in RC5424 format and rotate every 10 MiB 
# 
*.*                          /var/log/critical    ;rotate=10M:5,RFC5424

Program Based Filtering

In this example we funnel logs from a couple of multicast routing daemons to their own log files. The first exclusion filter ensure the syslog file does not get either daemon's logs.

# Match all log messages, except from certain programs 
# 
!-pimd,mrouted 
*.*                          /var/log/syslog 
!+pimd 
*.*                          /var/log/pimd 
!+mrouted 
*.*                          /var/log/mrouted

Hostname Based Filtering

Redirect logs from two remote hosts: ‘finlandia’ and ‘sibelius’, to their own dedicated log files.

# Match all log messages, except from certain programs 
# 
-finlandia,sibelius 
*.*                          /var/log/syslog 
+finlandia 
*.*                          /var/log/finlandia 
+sibelius 
*.*                          /var/log/sibelius

Program and Hostname Filtering

This example shows one combination of program and hostname filters.

# Log all local messages, except pppd 
-finlandia,sibelius 
!-ppp 
*.*                          /var/log/syslog 
 
# Local pppd messages of severity info, or higer, go to its own log file 
!+ppp 
*.info                       /var/log/ppp.log 
 
# All pppd messages from host finlandia 
+finlandia 
*.*                          /var/log/finlandia.ppp.log 
 
# All mrouted messages from host sibelius 
# Note, any pppd messages from siblius are dropped 
+sibelius 
!+mrouted 
*.*                          /var/log/sibelius.mrouted.log

Property Based Filtering

These examples show off the substring and regexp matching capabilities.

# Catch any message that has the substring 'error' 
:msg, icase_contains, "ERROR" 
*.*			     /var/log/error.log 
 
# Log messages from bird or bird6 into one file 
:programname, regex, "^bird6?$" 
*.*			     /var/log/bird-all.log 
 
# Log messages from servers in racks 10-19 in multiple locations, case insensitive 
:hostname, icase_ereregex, "^server-(dcA|podB|cdn)-rack1[0-9]{2}..*" 
*.*			     /var/log/racks10-19.log

Critical

This stores all messages of priority ‘crit’ in the file /var/log/critical, with the exception of any kernel messages.

# Store critical stuff in critical 
# 
*.=crit;kern.none            /var/log/critical

Kernel

This is an example of the 2nd selector overwriting part of the first one. The first selector selects kernel messages of priority ‘info’ and higher. The second selector filters out kernel messages of priority ‘error’ and higher. This leaves just priorities ‘info’, ‘notice’, and ‘warning’ to get logged.

# Kernel messages are stored in the kernel file, critical messages and 
# higher ones also go to another host and to the console 
# 
kern.*                       /var/log/kernel 
kern.crit                    @arpa.berkeley.edu   ;RFC5424 
kern.crit                    /dev/console 
kern.info;kern.!err          /var/log/kernel.info

The first rule directs any message that has the kernel facility to the file /var/log/kernel. Recall that only the kernel itself can log to this facility.

The second statement directs all kernel messages of priority ‘crit’ and higher to the remote host ‘arpa.berkeley.edu’ in RFC5424 style formatting. This is useful, because if the host crashes and the disks get irreparable errors you might not be able to read the stored messages. If they're on a remote host, too, you still can try to find out the reason for the crash.

The third rule directs kernel messages of priority ‘crit’ and higher to the actual console, so the person who works on the machine will get them, too.

The fourth line tells syslogd to save all kernel messages that come with priorities from ‘info’ up to ‘warning’ in the file /var/log/kernel.info.

Redirecting to a TTY

This directs all messages that use ‘mail.info’ (in source ‘LOG_MAIL | LOG_INFO’) to /dev/tty12, the 12th console. For example the tcpwrapper tcpd(8) uses this as its default.

# The tcp wrapper logs with mail.info, we display 
# all the connections on tty12 
# 
mail.=info                   /dev/tty12

Redirecting to a file

This pattern matches all messages that come with the ‘mail’ facility, except for the ‘info’ priority. These will be stored in the file /var/log/mail.

# Write all mail related logs to a file 
# 
mail.*;mail.!=info           /var/log/mail

Single Priority from Two Facilities

This will extract all messages that come either with ‘mail.info’ or with ‘news.info’ and store them in the file /var/log/info.

# Log all mail.info and news.info messages to info 
# 
mail,news.=info              /var/log/info

Advanced Filtering, part 1

This logs all messages that come with either the ‘info’ or the ‘notice’ priority into the file /var/log/messages, except for all messages that use the ‘mail’ facility.

# Log info and notice messages to messages file 
# 
*.=info;*.=notice;\ 
	mail.none            /var/log/messages

Advanced Filtering, part 2

This statement logs all messages that come with the ‘info’ priority to the file /var/log/messages. But any message with either ‘mail’ or the ‘news’ facility are not logged.

# Log info messages to messages file 
# 
*.=info;\ 
	mail,news.none       /var/log/messages

Wall Messages

This rule tells syslogd to write all emergency messages to all currently logged in users. This is the wall action.

# Emergency messages will be displayed using wall 
# 
*.=emerg                     *

Alerting Users

This rule directs all messages of priority ‘alert’ or higher to the terminals of the operator, i.e. of the users 'root' and 'eric', if they're logged in.

# Any logged in root user and Eric get alert and higher messages. 
# 
*.alert                      root,eric

Log Rotation

This example logs all messages except kernel messages to the file /var/log/messages without syncing ('-') the file after each log message. When the file reaches 100 kiB it is rotated. In total are only 10 rotated files, including the main file itself and compressed files kept. The size argument takes the same modifiers as the syslogd(8) command line option, -r.

# Log all messages, including kernel, to the messages file rotate it 
# every 100 kiB and keep up to 10 aged out, and compressed, files. 
# 
*.*;kern.none               -/var/log/messages    ;rotate=100k:10

Logging to Remote Syslog Server

These rules redirect all messages to remote hosts. The first is to ‘finlandia’, with RFC5424 style formatting, the second to ‘sibelius’, on a non-standard port and with RFC3164 formatting (i.e., including timestamp and hostname).

Two multicast groups are used ‘225.1.2.3’ and ‘225.1.2.4’ with a TTL set to 10 and 3, respectively, to allow the messages to be routed beyond the LAN. Messages to the first group will egress the interface connected to the default route, and the second group's messages will egress ‘eth2’.

*.*                @finlandia      ;RFC5424 
*.*                @sibelius:5514  ;RFC3164 
*.*                @225.1.2.3      ;RFC3164,ttl=10 
*.*                @225.1.2.4      ;RFC5424,iface=eth2,ttl=3

Note: some may prefer a 224.0.0.0/4 interface route to direct outbound multicast, but sysklogd support this, less intrusive, option.

BUGS

The effects of multiple selectors are sometimes not intuitive. For example “mail.crit,*.err” will select “mail” facility messages at the level of “err” or higher, not at the level of “crit” or higher.

In networked environments, note that not all operating systems implement the same set of facilities. The facilities authpriv, cron, ftp, and ntp that are known to this implementation might be absent on the target system. Even worse, DEC UNIX uses facility number 10 (which is authpriv in this implementation) to log events for their AdvFS file system.