SYSLOGD(8) System Manager's Manual SYSLOGD(8)


syslogdlog systems messages


syslogd [-?46AdFknsTv] [-a addr[/len][:port]] [-a name[:port]] [-b addr[:port]] [-b :port] [-f file] [-m interval] [-P file] [-p sock] [-r size[:count]]


The syslogd utility reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file.
syslogd support RFC3164 and RFC5424 style log messages for both local and remote logging using Internet and UNIX domain sockets. Differences in style is shown below.
Aug 24 05:14:15 myproc[8710]: Kilroy was here.
2003-08-24T05:14:15.000003-07:00 myproc 8710 - - Kilroy was here.
Note, for remote logging the messages are prefixed with ‘<PRI>’ or ‘<PRI>1’, respectively.
syslogd is derived from BSD sources, today FreeBSD is the reference for syslogd and NetBSD for the new syslogp(3) API, which fully supports the new features of RFC5424. Please note; 1) the intention is to follow standard BSD syslogd behavior, 2) despite having a stand-alone syslog(3), and syslogp(3) API in library “libsyslog”, syslogd interacts transparently with the standard C library syslog(3) API, as implemented in GLIBC, musl libc, and uClibc.
When syslogd starts up it reads its main configuration file /etc/syslog.conf, or an alternate file given with the -f file option. For details on how to configure syslog priority (facility.severity) filtering, see syslog.conf(5).


By default, syslogd reads messages from the UNIX domain socket /dev/log, from an Internet domain socket specified in /etc/services, and from /dev/kmsg (to read kernel messages). The command line options defined below can be used to change this behavior.
The options are as follows:
Force syslogd to use IPv4 addresses only.
Force syslogd to use IPv6 addresses only.
Ordinarily, syslogd tries to send the message to only one address even if the host has more than one A or AAAA record. If this option is specified, syslogd tries to send the message to all addresses.
-a address[/len][:service] | -a domainname[:service]
Allow peers to log to this syslogd using UDP datagrams. Multiple -a options may be specified. Any -a option is ignored if the -s option is also specified.
The peer argument may be any of the following:
Accept datagrams from IP address, which can be specified as an IPv4 address or as an IPv6 address enclosed with ‘[’ and ‘]’. If specified, service is the name or port number of an UDP service (see services(5)) the source packet must belong to. A service of ‘*’ accepts UDP packets from any source port. The default service is ‘syslog’. If address is an IPv4 address, a missing prefix len will be substituted by the historic class A or class B netmasks if address belongs in the address range of class A or B, respectively, or by' /24 otherwise. If address is an IPv6 address, a missing prefix len will be substituted by 128.
Accept datagrams where the reverse address lookup yields domainname for the sender address. The meaning of service is as explained above. domainname can contain special characters of a shell-style pattern such as ‘*’.
-b address[:service]
-b :service
Bind to a specific address and/or port. The address can be specified as a hostname, and the port as a service name. If an IPv6 address is specified, it should be enclosed with ‘[’ and ‘]’. The default service is ‘syslog’. This option can be specified multiple times to bind to multiple addresses and/or ports.
Put syslogd into debugging mode. This is probably only of use to developers working on syslogd. See the DEBUGGING section for more information.
-f file
Specify the path name of an alternate configuration file; the default is /etc/syslog.conf.
Run syslogd in the foreground, rather than going into daemon mode. This is useful if some other process uses fork(2) and exec(3) to run syslogd, and wants to monitor when and how it exits.
Disable the translation of messages received with facility “kern” to facility “user”. Usually the “kern” facility is reserved for messages read directly from /dev/kmsg.
-m interval
Select the number of minutes between “mark” messages; the default is 20 minutes. Setting this to zero disables log marks.
Disable DNS query for every request.
-p socket
Specify the path name of an alternate log socket to be used instead; the default is /dev/log. When a single -p option is specified, the default path name is replaced with the specified one. When two or more -p options are specified, the remaining path names are treated as additional log sockets.
-P file
Specify an alternative file in which to store the process ID. The default is /var/run/
-r size[:count]
Enable built-in support for log rotation of files listed in /etc/syslog.conf. This feature is particularly useful for small and embedded systems that do not want the overhead of cron(8) and logrotate(8).
The option controls the max size and number of backup files kept by the built-in log-rotation. When present on the command line it activates log rotation of all files with the given maximum size. It is also possible to control log rotate per log file, see syslog.conf(5) for details.
The size argument takes optional modifiers; k, M, G. E.g., 100M is 100 MiB, 42k is 42 kiB, etc.
The optional number of files kept include both gzipped files and the first rotated (not zipped) file. The default for this, when omitted, is 5.
Operate in secure mode. Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines.
Always use the local time and date for messages received from the network, instead of the timestamp field supplied in the message by the remote host. This is useful if some of the originating hosts cannot keep time properly or are unable to generate a correct timestamp.
Verbose logging. If specified once, the numeric facility and priority are logged with each locally-written message. If specified more than once, the names of the facility and priority are logged with each locally-written message.
This option only affects the formatting of RFC 3164 messages. Messages formatted according to RFC 5424 always include a facility/priority number.
The syslogd utility reads its configuration file when it starts up and whenever it receives a hangup signal. For information on the format of the configuration file, see syslog.conf(5).
The syslogd utility creates its process ID file, by default /var/run/, and stores its process ID there. This can be used to kill or reconfigure syslogd.
The message sent to syslogd should consist of a single line. The message can contain a priority code, which should be a preceding decimal number in angle braces, for example, ‘⟨5⟩’. This priority code should map into the priorities defined in the include file <sys/syslog.h>. To log with RFC5424 style messages the priority code must be directly followed by the version number, this is all handled by the library “libsyslog”, which is the NetBSD syslogp(3) API included with the sysklogd project.
The date and time are taken from the received message. If the format of the timestamp field is incorrect, time obtained from the local host is used instead. This can be overridden by the -T flag.


There are a number of methods of protecting a machine:
  1. Disabling inet domain sockets will limit risk to the local machine. Use the secure mode flag -s for this.
  2. When secure mode cannot be used, only allow certain remote peers using the -a PEER flag.
  3. Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket.
  4. Logging can be directed to an isolated or non-root filesystem which, if filled, will not impair the machine.
  5. Most modern UNIX filesystems can be configured to limit a certain percentage of a filesystem to usage by root only.


When debug mode (-d) is enabled syslogd only the first init() is shown. syslogd then prompts you to send SIGUSR1 to continue debugging. The output is very verbose and is probably only useful to developers.
When syslogd receives SIGHUP it reloads its configuration file, and at the end of the init() sequence all log targets are listed with their respective priority per facility, the action and the log format used:
Bit mapped priorities listed per facility, one priority per facility, starting with kernel as the left-most column.
FILE, remote sink (FORW), WALL, etc. See syslog.conf(5) for details.
The action argument and the log format used. E.g., for FILE actions the log filename, for FORW action the remote host:port. The format is one of; BSD, RFC5424, or RFC3164. The latter is the default except for FORW actions.


syslogd supports the following signals:
This lets syslogd perform a re-initialization. All open files are closed, the configuration file (see above) is reread and the syslog(3) facility is started again.
This tells syslogd to exit gracefully. Flushing any log files to disk.
In debug mode these are ignored. In normal operation they act as SIGTERM.
In debug mode this switches debugging on/off. In normal operation it is ignored.
For convenience the PID is by default stored in /var/run/ A script can look for the existence of this file to determine if syslogd is running, and then send signals:
kill -SIGNAL `cat /var/run/`


configuration file. See syslog.conf(5) for more information.
Conventional sub-directory of .conf files read by syslogd.
Conventional name for default rules.
default process ID file
name of the UNIX domain datagram log socket
kernel log device


logger(1), syslog(3), syslogp(3), services(5), syslog.conf(5),


syslogd was originally ported to Linux by Greg Wettstein <> and the project was named sysklogd when a separate log daemon, klogd, for Linux kernel messages was added.
It was the default syslogd in Debian and Ubuntu, maintained by Martin Schulze <>, who fixed some bugs and added several new features. When Debian replaced sysklogd with rsyslogd the project was abandoned.
In 2018 Joachim Wiberg <> picked up maintenance. In 2019 the project was revived with fresh DNA strands from both FreeBSD and NetBSD, klogd was removed in v2.1 and the project was then re-licensed under the 3-clause BSD license, like its brethren.
The syslogd utility first appeared in 4.3BSD.


The ability to log messages received in UDP packets is equivalent to an unauthenticated remote disk-filling service, and should probably be disabled (-s) by default. (The shipped systemd unit file disables this by default.) See also SECURITY for more information on this. A future version of syslogd may include support for TLS, RFC5425, which includes authentication of both senders and receivers. For now there is the -a option, which is strongly recommended when operating as a remote sink.
The -a matching algorithm does not pretend to be very efficient; use of numeric IP addresses is faster than domain name comparison. Since the allowed peer list is being walked linearly, peer groups where frequent messages are being anticipated from should be put early into the -a list.
As mentioned in the DESCRIPTION, syslogd transparently supports the standard C library syslog(3) API. If a binary linked to the standard C libraries does not operate correctly, this should be reported as a bug to the sysklogd issue tracker
August 31, 2020 sysklogd v2.1