utility reads and logs messages to the
system console, log files, other machines and/or users as specified by its
support RFC3164 and RFC5424 style log
messages for both local and remote logging using Internet and UNIX domain
sockets. Differences in style is shown below.
24 05:14:15 192.0.2.1 myproc: Kilroy was here.
192.0.2.1 myproc 8710 - - Kilroy was here.
Note, for remote logging the messages are prefixed with
is derived from BSD sources, today
is the reference for
the new syslogp(3)
API, which fully supports the new features of RFC5424. Please note; 1) the
intention is to follow standard BSD syslogd
behavior, 2) despite having a stand-alone
interacts transparently with the standard
C library syslog(3)
API, as implemented in GLIBC, musl libc, and uClibc.
starts up it reads its main
configuration file /etc/syslog.conf
, or an
alternate file given with the -f
option. For details on how to configure
syslog priority (facility.severity) filtering, see
By default, syslogd
reads messages from the
, from an Internet domain socket
specified in /etc/services
, and from
(to read kernel messages). The command
line options defined below can be used to change this behavior.
The options are as follows:
- Force syslogd to use IPv4
- Force syslogd to use IPv6
- Ordinarily, syslogd tries to
send the message to only one address even if the host has more than one A
or AAAA record. If this option is specified,
syslogd tries to send the message to all
- Allow peers to log to this syslogd using UDP datagrams.
Multiple -a options may be specified. Any
-a option is ignored if the
-s option is also specified.
The peer argument may be any of the following:
- Accept datagrams from IP
address, which can be specified as an
IPv4 address or as an IPv6 address enclosed with ‘[’ and
‘]’. If specified, service is the name or port number of
an UDP service (see
the source packet must belong to. A service of
*’ accepts UDP packets from any
source port. The default service is
address is an IPv4 address, a missing
prefix len will be substituted by the
historic class A or class B netmasks if
address belongs in the address range
of class A or B, respectively, or by'
/24 otherwise. If
address is an IPv6 address, a missing
prefix len will be substituted by
- Accept datagrams where the reverse address lookup
yields domainname for the sender
address. The meaning of service is as
explained above. domainname can
contain special characters of a shell-style pattern such as
- Bind to a specific address and/or port. The address can be
specified as a hostname, and the port as a service name. If an IPv6
address is specified, it should be enclosed with
]’. The default
syslog’. This option can be
specified multiple times to bind to multiple addresses and/or ports.
- Put syslogd into debugging
mode. This is probably only of use to developers working on
syslogd. See the
DEBUGGING section for more
- Specify the path name of an alternate configuration file;
the default is /etc/syslog.conf.
- Run syslogd in the foreground,
rather than going into daemon mode. This is useful if some other process
uses fork(2) and
exec(3) to run
syslogd, and wants to monitor when and how it
- Disable the translation of messages received with facility
“kern” to facility “user”. Usually the
“kern” facility is reserved for messages read directly from
- Select the number of minutes between “mark”
messages; the default is 20 minutes. Setting this to zero disables log
- Disable DNS query for every request.
- Specify the path name of an alternate log socket to be used
instead; the default is /dev/log. When a
single -p option is specified, the default
path name is replaced with the specified one. When two or more
-p options are specified, the remaining path
names are treated as additional log sockets.
- Specify an alternative file in which to store the process
ID. The default is /var/run/syslog.pid.
- Enable built-in support for log rotation of files listed in
/etc/syslog.conf. This feature is
particularly useful for small and embedded systems that do not want the
The option controls the max size and number of backup files kept by the
built-in log-rotation. When present on the command line it activates log
rotation of all files with the given maximum size. It is also possible to
control log rotate per log file, see
The size argument takes optional modifiers; k, M, G. E.g., 100M is 100 MiB,
42k is 42 kiB, etc.
The optional number of files kept include both gzipped files and the first
rotated (not zipped) file. The default for this, when omitted, is 5.
- Operate in secure mode. Do not log messages from remote
machines. If specified twice, no network socket will be opened at all,
which also disables logging to remote machines.
- Always use the local time and date for messages received
from the network, instead of the timestamp field supplied in the message
by the remote host. This is useful if some of the originating hosts cannot
keep time properly or are unable to generate a correct timestamp.
- Verbose logging. If specified once, the numeric facility
and priority are logged with each locally-written message. If specified
more than once, the names of the facility and priority are logged with
each locally-written message.
This option only affects the formatting of RFC 3164 messages. Messages
formatted according to RFC 5424 always include a facility/priority
utility reads its configuration file
when it starts up and whenever it receives a hangup signal. For information on
the format of the configuration file, see
utility creates its process ID file, by
, and stores its
process ID there. This can be used to kill or reconfigure
The message sent to syslogd
should consist of a
single line. The message can contain a priority code, which should be a
preceding decimal number in angle braces, for example,
‘⟨5⟩’. This priority code should map into the
priorities defined in the include file
To log with RFC5424 style messages the priority code must be directly followed
by the version number, this is all handled by the
, which is
included with the sysklogd
The date and time are taken from the received message. If the format of the
timestamp field is incorrect, time obtained from the local host is used
instead. This can be overridden by the -T
There are a number of methods of protecting a machine:
- Disabling inet domain sockets will limit risk to the local
machine. Use the secure mode flag -s for
- When secure mode cannot be used, only allow certain remote
peers using the -a
- Implement kernel firewalling to limit which hosts or
networks have access to the 514/UDP socket.
- Logging can be directed to an isolated or non-root
filesystem which, if filled, will not impair the machine.
- Most modern UNIX filesystems can be configured to limit a
certain percentage of a filesystem to usage by root only.
When debug mode (-d
) is enabled
only the first
() is shown.
then prompts you to send
to continue debugging. The output is
very verbose and is probably only useful to developers.
it reloads its configuration file, and
at the end of the init
() sequence all log targets
are listed with their respective priority per facility, the action and the log
- Bit mapped priorities listed per facility, one priority per
facility, starting with kernel as the left-most column.
- FILE, remote sink (FORW), WALL, etc. See
- The action argument and the log format used. E.g., for FILE
actions the log filename, for FORW action the remote host:port. The format
is one of; BSD, RFC5424, or RFC3164. The latter is the default except for
supports the following signals:
- This lets syslogd perform a
re-initialization. All open files are closed, the configuration file (see
above) is reread and the
facility is started again.
- This tells syslogd to exit
gracefully. Flushing any log files to disk.
- INT, QUIT
- In debug mode these are ignored. In normal operation they
act as SIGTERM.
- In debug mode this switches debugging on/off. In normal
operation it is ignored.
For convenience the PID is by default stored in
. A script can look for the
existence of this file to determine if syslogd
running, and then send signals:
kill -SIGNAL `cat /var/run/syslogd.pid`
- configuration file. See
for more information.
- Conventional sub-directory of
.conf files read by
- Conventional name for default rules.
- default process ID file
- name of the UNIX domain datagram
- kernel log device
was originally ported to Linux by
and the project was named sysklogd
separate log daemon, klogd
, for Linux kernel
messages was added.
It was the default syslogd
in Debian and Ubuntu,
maintained by Martin Schulze
who fixed some bugs and added several new features. When Debian replaced
the project was abandoned.
In 2018 Joachim Wiberg
picked up maintenance. In 2019 the project was revived with fresh DNA strands
from both FreeBSD
was removed in v2.1 and the project was
then re-licensed under the 3-clause BSD license, like its brethren.
utility first appeared in
The ability to log messages received in UDP packets is equivalent to an
unauthenticated remote disk-filling service, and should probably be disabled
) by default. (The shipped systemd unit file
disables this by default.) See also
for more information on
this. A future version of syslogd
support for TLS, RFC5425, which includes authentication of both senders and
receivers. For now there is the -a
is strongly recommended when operating as a remote sink.
matching algorithm does not pretend to be
very efficient; use of numeric IP addresses is faster than domain name
comparison. Since the allowed peer list is being walked linearly, peer groups
where frequent messages are being anticipated from should be put early into
As mentioned in the
transparently supports the standard C
API. If a binary linked to the standard C libraries does not operate
correctly, this should be reported as a bug to the