SYSLOGD(8) System Manager's Manual SYSLOGD(8)

log systems messages

syslogd [
] [
-a addr[/len][:port]
] [
-a name[:port]
] [
-b addr[:port]
] [
-b :port
] [
-C file
] [
-f file
] [
-m interval
] [
-P file
] [
-p sock
] [
-r size[:count]

The syslogd utility reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file.
syslogd support RFC3164 and RFC5424 style log messages for both local and remote logging using Internet and UNIX domain sockets. Differences in style is shown below.
Note, for remote logging the messages are prefixed with ‘<PRI>’ or ‘<PRI>1’, respectively.
syslogd is derived from BSD sources, today FreeBSD is the reference for syslogd and NetBSD for the new syslogp(3) API, which fully supports the new features of RFC5424. Please note; 1) the intention is to follow standard BSD syslogd behavior, 2) despite having a stand-alone syslog(3), and syslogp(3) API in libsyslog, syslogd interacts transparently with the standard C library syslog(3) API, as implemented in GLIBC, musl libc, and uClibc.
When syslogd starts up it reads its main configuration file /etc/syslog.conf, or an alternate file given with the -f file option. For details on how to configure syslog priority (facility.severity) filtering, see syslog.conf(5).

By default, syslogd reads messages from the UNIX domain socket /dev/log, from an Internet domain socket specified in /etc/services, and from /dev/kmsg (to read kernel messages). The command line options defined below can be used to change this behavior.
The options are as follows:
Force syslogd to use IPv4 addresses only.
Force syslogd to use IPv6 addresses only.
Tells syslogd not to interfere with 8-bit data. Normally syslogd replaces C1 control characters (ISO 8859 and Unicode characters) with their “M-x” equivalent. Note, this option does not change the way syslogd alters control characters (see iscntrl(3)). They are always replaced with their “^x” equivalent.
Ordinarily, syslogd tries to send the message to only one address even if the host has more than one A or AAAA record. If this option is specified, syslogd tries to send the message to all addresses.
Allow peers to log to this syslogd using UDP datagrams. Multiple -a options may be specified. Any -a option is ignored if the -s option is also specified.
The peer argument may be any of the following:
Accept datagrams from IP address, which can be specified as an IPv4 address or as an IPv6 address enclosed with ‘[’ and ‘]’. If specified, service is the name or port number of an UDP service (see services(5)) the source packet must belong to. A service of ‘*’ accepts UDP packets from any source port. The default service is ‘syslog’. If address is an IPv4 address, a missing prefix len will be substituted by the historic class A or class B netmasks if address belongs in the address range of class A or B, respectively, or by' /24 otherwise. If address is an IPv6 address, a missing prefix len will be substituted by 128.
Accept datagrams where the reverse address lookup yields domainname for the sender address. The meaning of service is as explained above. domainname can contain special characters of a shell-style pattern such as ‘*’.
Bind to a specific address and/or port. By default, syslogd listens on all interfaces on UDP port 514, unless started with the -s option. Multiple -b options may be specified to bind to several addresses and/or ports.
The name argument may be any of the following:
The address can be specified as a hostname or an IP address, and the port as a service name or port number. If an IPv6 address is specified, it should be enclosed with ‘[’ and ‘]’.
Service name or UDP port number. The default service is ‘syslog’ (UDP), port 512.
File to use for caching last read kernel sequence number from /dev/kmsg, default: /run/syslogd.cache. If syslogd cannot write to, or read from, this file it will cause repeated kernel log messages when restarting syslogd.
Note: syslogd relies on this file being removed at system reboot. The default location depends on the system and how syslogd was configured.
Put syslogd into debugging mode. This is probably only of use to developers working on syslogd. See the DEBUGGING section for more information.
Specify the path name of an alternate configuration file; the default is /etc/syslog.conf.
Run syslogd in the foreground, rather than going into daemon mode. This is useful if some other process uses fork(2) and exec(3) to run syslogd, and wants to monitor when and how it exits.
When logging remote messages use hostname from the message (if supplied) instead of using address from which the message was received.
Disable kernel logging. Useful in container use-cases where kernel logs har handled by the host system.
Disable the translation of messages received with facility “kern” to facility “user”. Usually the “kern” facility is reserved for messages read directly from /dev/kmsg.
Select the number of minutes between “mark” messages; the default is 20 minutes. Setting this to zero disables log marks.
Disable DNS query for every request.
Specify the path name of an alternate log socket to be used instead; the default is /dev/log. When a single -p option is specified, the default path name is replaced with the specified one. When two or more -p options are specified, the remaining path names are treated as additional log sockets.
Specify an alternative file in which to store the process ID. The default is /var/run/
Enable built-in support for log rotation of files listed in /etc/syslog.conf. This feature is particularly useful for small and embedded systems that do not want the overhead of cron(8) and logrotate(8).
The option controls the max size and number of backup files kept by the built-in log-rotation. When present on the command line it activates log rotation of all files with the given maximum size. It is also possible to control log rotate per log file, see syslog.conf(5) for details.
The size argument takes optional modifiers; k, M, G. E.g., 100M is 100 MiB, 42k is 42 kiB, etc.
The optional number of files kept include both gzipped files and the first rotated (not zipped) file. The default for this, when omitted, is 5.
Operate in secure mode. Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines.
Secure mode can also be set in syslog.conf(5) using the secure_mode config option. This is more flexible since you can change the option and simply send SIGHUP to activate the changes, instead of having to restart syslogd.
Note: the command line option always wins, so it must be removed for syslogd to consider the .conf file option instead.
Always use the local time and date for messages received from the network, instead of the timestamp field supplied in the message by the remote host. This is useful if some of the originating hosts cannot keep time properly or are unable to generate a correct timestamp.
Keep (trust) kernel timestamp.
On Linux systems the /dev/kmsg timestamp is a monotonic clock, in microseconds, relative to the boot of the system. This timestamp is, among other things, not adjusted for suspend/resume cycles, meaning the kernel logs can start to go out of sync with the rest of the system. This in turn can make it really hard to correlate events.
syslogd by default only trusts the kernel timestamp when starting up the first time. As soon as the the kernel ring buffer has been emptied, syslogd uses its own current time for each received kernel log message. This option disables that behavior.
Show program version and exit.
The syslogd utility reads its configuration file when it starts up and whenever it receives a hangup signal. For information on the format of the configuration file, see syslog.conf(5).
The syslogd utility creates its process ID file, by default /var/run/, and stores its process ID there. This can be used to kill or reconfigure syslogd.
The message sent to syslogd should consist of a single line. The message can contain a priority code, which should be a preceding decimal number in angle braces, for example, ‘⟨5⟩’. This priority code should map into the priorities defined in the include file <sys/syslog.h>. To log with RFC5424 style messages the priority code must be directly followed by the version number, this is all handled by libsyslog, which is the NetBSD syslogp(3) API included with the sysklogd project.
The date and time are taken from the received message. If the format of the timestamp field is incorrect, time obtained from the local host is used instead. This can be overridden by the -T flag.

There are a number of methods of protecting a machine:
  1. Disabling inet domain sockets will limit risk to the local machine. Use the secure mode flag -s for this.
  2. When secure mode cannot be used, only allow certain remote peers using the -a PEER flag.
  3. Implement kernel firewalling to limit which hosts or networks have access to the 514/UDP socket.
  4. Logging can be directed to an isolated or non-root filesystem which, if filled, will not impair the machine.
  5. Most modern UNIX filesystems can be configured to limit a certain percentage of a filesystem to usage by root only.

When debug mode (-d) is enabled syslogd only the first init() is shown. syslogd then prompts you to send SIGUSR1 to continue debugging. The output is very verbose and is probably only useful to developers.
When syslogd receives SIGHUP it reloads its configuration file, and at the end of the init() sequence all log targets are listed with their respective priority per facility, the action and the log format used:
Bit mapped priorities listed per facility, one priority per facility, starting with kernel as the left-most column.
FILE, remote sink (FORW), WALL, etc. See syslog.conf(5) for details.
The action argument and the log format used. E.g., for FILE actions the log filename, for FORW action the remote host:port. The format is one of; BSD, RFC5424, or RFC3164. The latter is the default except for FORW actions.

syslogd supports the following signals:
This lets syslogd perform a re-initialization. All open files are closed, the configuration file (see above) is reread and the syslog(3) facility is started again.
This tells syslogd to exit gracefully. Flushing any log files to disk.
In debug mode these are ignored. In normal operation they act as SIGTERM.
In debug mode this switches debugging on/off. In normal operation it is ignored.
syslogd will rotate all files for which rotation is configured when receiving this signal.
For convenience the PID is by default stored in /var/run/ A script can look for the existence of this file to determine if syslogd is running, and then send signals:
kill -SIGNAL `cat /var/run/`

configuration file. See syslog.conf(5) for more information.
conventional sub-directory of .conf files read by syslogd.
conventional name for default rules.
default process ID file
cache of last read sequence number from /dev/kmsg. Please note, syslogd relies on this file being removed at system reboot.
name of the UNIX domain datagram log socket
kernel log device

logger(1), syslog(3), syslogp(3), services(5), syslog.conf(5),

syslogd was originally ported to Linux by Greg Wettstein <> and the project was named sysklogd when a separate log daemon, klogd, for Linux kernel messages was added.
It was the default syslogd in Debian and Ubuntu, maintained by Martin Schulze <>, who fixed some bugs and added several new features. When Debian replaced sysklogd with rsyslogd the project was abandoned.
In 2018 Joachim Wiberg <> picked up maintenance. In 2019 the project was revived with fresh DNA strands from both FreeBSD and NetBSD, klogd was removed in v2.1 and the project was then re-licensed under the 3-clause BSD license, like its brethren.
The syslogd utility first appeared in 4.3BSD.

The ability to log messages received in UDP packets is equivalent to an unauthenticated remote disk-filling service, and should probably be disabled (-s) by default. (The shipped systemd unit file disables this by default.) See also SECURITY for more information on this. A future version of syslogd may include support for TLS, RFC5425, which includes authentication of both senders and receivers. For now there is the -a option, which is strongly recommended when operating as a remote sink.
The -a matching algorithm does not pretend to be very efficient; use of numeric IP addresses is faster than domain name comparison. Since the allowed peer list is being walked linearly, peer groups where frequent messages are being anticipated from should be put early into the -a list.
As mentioned in the DESCRIPTION, syslogd transparently supports the standard C library syslog(3) API. If a binary linked to the standard C libraries does not operate correctly, this should be reported as a bug to the sysklogd issue tracker
May 5, 2021 sysklogd