syslogd(8) System Manager's Manual syslogd(8)
syslogd - Logs system messages
/usr/sbin/syslogd [-f config_file] [-m mark_interval] [-d] [-s] [-e]
The syslogd daemon reads and logs messages to a set of files described in the /etc/syslog.conf configuration file.
Specifies the size of the socket receive buffer. Specifies a path to an alternate configuration file. Specifies the mark_interval. Turns
on the debugging feature. Specifies that events are to be posted to the Event Manager, EVM. Disables the posting of events to the con-
Each message logged consists of one line. A message can contain a priority code, marked by a number in angle braces at the beginning of
the line. Priorities are defined in the /usr/include/sys/syslog_pri.h file. The syslogd daemon reads from the domain socket /dev/log,
from an Internet domain socket specified in /etc/services, and from the special device /dev/klog, which reads kernel messages. The syslogd
daemon configures when it starts up and when it receives a hangup (SIGHUP) signal. To reconfigure the daemon, use the ps command to iden-
tify the daemon's process identifier (PID) and then use the following command: # kill -HUP <pid> (The PID of the daemon is also recorded in
/var/run/syslog.pid). This command causes the daemon to read the revised configuration file.
The /etc/syslog.conf file contains entries that specify the facility (the part of the system that generated the error), the error message
severity level, and the destination to which the syslogd daemon sends the messages. Each line of the /etc/syslog.conf file contains an
The following is an example of an /etc/syslog.conf file: # # syslogd config file # # facilities: kern user mail daemon auth syslog lpr
binary # priorities: emerg alert crit err warning notice info debug kern.debug /var/adm/syslog/kern.log user.debug
/var/adm/syslog/user.log daemon.debug /var/adm/syslog/daemon.log auth.debug /var/adm/syslog/auth.log syslog.debug
/var/adm/syslog/syslog.log mail,lpr.debug /var/adm/syslog/misc.log binary.err /var/adm/binary.errlog msgbuf.err
/var/adm/crash/msgbuf.savecore kern.debug /var/adm/messages kern.debug /dev/console *.emerg *
The facility and its severity level must be separated by a period (.). You can specify more than one facility on a line by separating them
with commas. You can specify more than one facility and severity level on a line by separating them with semicolons.
The facility and its severity level must be separated from the destination by one or more tabs (spaces are not allowed).
If you specify an asterisk (*) for a facility, messages generated by all parts of the system are logged. All messages of the specified
level and of a greater severity are logged. Blank lines and lines beginning with # (number sign) are ignored.
For example: *.emerg;mail,daemon.crit /var/adm/syslog/misc.log This line logs all facilities at the emerg level (and higher) and
the mail and daemon facilities at the crit (or higher) level to the /var/adm/syslog/misc.log destination file.
Known facilities and levels recognized by the syslogd daemon are those listed in /usr/include/sys/syslog_pri.h without the leading LOG_.
The additional facility mark has a message at priority LOG_INFO sent to it every 20 minutes (this may be changed with the -m flag). The
mark facility is not enabled by a facility field containing an * (asterisk). The level none may be used to disable a particular facility.
For example: *.debug;mail.none /var/adm/syslog/misc.log The previous entry sends all messages except mail messages to the
There are four possibilities for the message destination: A filename that begins with a leading / (slash). The syslogd daemon will open
the file in append mode. A hostname preceded by an @ (at sign). Selected messages are forwarded to the syslogd daemon on the named host.
A comma separated list of users. Selected messages are written to those users if they are logged in. An * (asterisk). Selected messages
are written to all users who are logged in.
For example: kern,mark.debug /dev/console *.notice;mail.info /var/adm/syslog/mail *.crit /var/adm/syslog/critical
kern.err @ucbarpa *.emerg * *.alert eric,kridle *.alert;auth.warning ralph The preceding configuration file logs messages as fol-
lows: Logs all kernel messages and 20 minute marks onto the system console Logs all notice (or higher) level messages and all mail system
messages except debug messages into the file /var/adm/syslog/mail Logs all critical messages into the /var/adm/syslog/critical file For-
wards kernel messages of error severity or higher to ucbarpa. Informs all users of any emergency messages, informs users eric and kridle
of any alert messages, and informs user ralph of any alert message or any warning message (or higher) from the authorization system.
Destinations for logged messages can be specified with full pathnames that begin with a leading / (slash). The syslogd daemon then opens
the specified file(s) in append mode. If the pathname to a syslogd daemon log file that is specified in the syslog.conf file as a
/var/adm/syslog.dated/file, the syslogd daemon inserts a date directory, and thus produces a day-by-day account of the messages received,
directly above file in the directory structure. Typically, you will want to divert messages separately, according to facility, into files
such as kern.log, mail.log, lpr.log, and debug.log. The file /var/adm/syslog.dated/current is a link to the most recent log file direc-
If some pathname other than /var/adm/syslog.dated/file is specified as the pathname to the logfile, the syslogd daemon does not create the
daily date directory. For example, if you specify /var/adm/syslog/mail.log (without the .dated suffix after syslog), the syslogd daemon
simply logs messages to the mail.log file and allows this file to grow indefinitely.
The syslogd daemon can recover the messages in the kernel syslog buffer that were not logged to the files specified in the /etc/syslog.conf
file because a system crash occurred. The savecore command copies the buffer recovered from the dump to the file specified in the "msg-
buf.err" entry in the /etc/syslog.conf file. When the syslogd daemon starts up, it looks for this file and, if it exists, processes and
then deletes the file.
The syslogd daemon acts as a central routing facility for messages whose formats are determined by the programs that produce them.
The syslogd daemon creates the /var/run/syslog.pid file if possible. The file contains a single line with its process ID. This can be used
to kill or reconfigure the syslogd daemon. For example, if you modify the syslog.conf file and you want to implement the changes, use the
following command: # kill -HUP 'cat /var/run/syslog.pid'
If a syslog.conf configuration file does not exist, the syslogd daemon uses the following defaults: *.ERR /dev/console
*.PANIC * The defaults log all error messages to the console and all panic messages (from the kernel) to all logged-in users. No
files are written.
To turn off printing of syslog messages to the console, please refer to the syslog(1) reference page.
Remote message Forwarding
The syslog has a remote message forwarding function. As a security feature, this capability is turned off by default. If you intend to con-
figure other hosts to forward syslog messages to a local host, use the su command to become superuser (root) and manually create the
/etc/syslog.auth file using a text editor on the local host.
The /etc/syslog.auth file specifies which remote hosts are allowed to forward syslog messages to the local host. Unless the domain host
name of a remote host is given in the local /etc/syslog.auth file, the local host will not log any messages from that remote host. Note
that if no /etc/syslog.auth file exists on the local host, then any remote hosts that can establish a network connection will be able to
log messages. See the syslog.auth(4) reference page for information.
Note that syslog is also a channel that is read by the Event Management utility (EVM). Messages are also converted to EVM events and noti-
fied to the EVM daemon. Refer to the EVM(8) reference page and System Administration for more information on event management.
Specifies the command path Configuration file. Process ID. Specifies what remote hosts can forward messages to the local host. Contains
configuration information that specifies what syslogd messages will be forwarded to the Event Manager, EVM. Enables and disables printing
to the console device. The name of the domain datagram log socket. Kernel log device. The directory where daily log subdirectories
reside. A link to the directory containing the most recent daily log files.
Commands: syslog(1), savecore(8), logger(1).
Files: syslog.auth(4), syslog.conf(4), syslog_evm.conf(4).
System Administration, Network Administration, and EVM(5) delim off