syslogd(ADM)

syslogd -- log system messages

Syntax

/etc/syslogd [ -fconfigfile ] [ -mmarkinterval ] [ -d ] [ -r ]

Description

bcheckrc(ADM) calls syslogd at system startup to start the logging of local and remote system error messages:

kernel error messages are written to /usr/adm/messages
device initialization messages are written to /usr/adm/hwconfig
information and debugging messages are written to /usr/adm/syslog by default (as defined in /etc/syslog.conf)
local messages are written to /var/adm/syslog by default (as defined in /etc/syslog.conf)

syslogd reads and logs messages to a set of files described by the configuration file /etc/syslog.conf. syslogd writes each line of an input message as one line of output. A message can contain a priority represented by the symbolic pair facility.level, or as a number calculated as (facility8)+level (see the section ``Format of /etc/syslog.conf''). The priority is placed in angle braces at the beginning of the message line. Symbolic and numeric values for both facilities and priority levels are defined in /usr/include/sys/syslog.h.

syslogd can read from:

the kernel error logger device file, /dev/error, to log kernel error messages
the FIFO device, /dev/logfifo, for local communication
When the -r option is specified, a remote host using an Internet domain socket bound to port 514; see services(SFF)
a local process using a UNIX domain socket bound to /dev/syslog

If possible, syslogd creates the file /etc/syslog.pid which contains syslogd's process ID. This file can be used to kill or reconfigure syslogd.

syslogd rereads /etc/syslog.conf if it receives a hangup signal (SIGHUP; see kill(C)). It also attempts to open any input sources that are not currently open. If a log file is removed, syslogd stops logging any further messages there. The file must be re-created and syslogd restarted with a SIGHUP:

kill -HUP `cat /etc/syslog.pid`

The termination signal (SIGTERM) kills syslogd altogether:

kill -TERM `cat /etc/syslog.pid`

syslogd understands the following options:

-d: Turn on debugging.
-fconfigfile: Specify an alternate configuration file.
-mmarkinterval: Select the number of minutes between mark messages.
-r: service messages from remote systems (via syslog port).

Format of /etc/syslog.conf

Lines in the default configuration file, /etc/syslog.conf, have the following format:

selector[;selector...] action

The selectors determine the message priorities to which the line applies. The selectors are separated by semicolons. The action field is separated from the selectors by one or more tabs.

Blank lines and lines beginning with ``#'' are ignored.

A selector is a list of facilities corresponding to the subsystems that generated the message, and a priority level at or above which the action is to be applied to messages from these subsystems:

facility[;facility...].priority

The facilities are separated by commas. The list of facilities and the priority level are separated by a single period (.).

If a facility is specified as an asterisk (), this selects all facilities whose messages are at or above the specified priority level.

Facilities

Facilities recognized by syslogd are defined in the array facilitynames in /usr/include/sys/syslog.h:

auth: Messages generated by programs that authenticate users' primary and secondary authorizations.
authpriv: Messages generated by programs that authenticate users' system privileges.
cron: Messages from cron.
daemon: Messages from system daemons.
kern: Messages from the kernel.
local0 -- local7: Messages reserved for local use.
lpr: Messages from the line printer spooling system.
mail: Messages from the mail system.
mark: Timemarks generated internally by syslogd every 20 minutes at priority LOG_INFO. The interval may be changed using the -m option.
news: Messages from the network news system.
syslog: Messages generated internally by syslogd.
user: Messages generated by user processes. This is the default facility if none is specified in /etc/syslog.conf.
uucp: Messages generated by programs that deal with UUCP. syslog(SLIB).

Priority levels

Priority levels recognized by syslogd are defined in the array prioritynames in /usr/include/sys/syslog.h. They are listed here in order of highest to lowest severity:

emerg: Highest severity: a panic condition indicating that the system is unusable. This is normally broadcast to all users.
alert: A condition that should be corrected immediately, such as a corrupted system database.
crit: Critical conditions, for example, hard device errors.
err: Error conditions.
warning: Warning conditions.
notice: Conditions that are not error conditions, but may require special handling.
info: Information only.
debug: Lowest severity: information normally of use only when debugging a program.
none: Disable messages from the associated facilities.

Actions

The action field describes where the message is to be logged if the line is selected. action can take one of the following forms:

pathname: Open the specified file or device file in append mode; the file must be specified by an absolute pathname beginning with a leading slash (/).
@hostname: Forward selected messages to syslogd on the host named by hostname.
user[,user]...: Write selected messages to the comma-separated list of users if they are logged in.
: Write selected messages to all logged-in users.

Examples

Messages from several facilities at different priority levels may be selected. Semicolons are used to separate the facilities that are at different priority levels. This example selects messages from all facilities at the emerg level, and messages from the mail and daemon facilities at the crit level or higher:

   .emerg;mail,daemon.crit	action

Send all messages except mail messages to the specified absolute pathname:

   .debug;mail.none	pathname

Log all kernel messages and 20 minute timemarks to the system console:

   kern,mark.debug	/dev/console

Log all notice (or higher) level messages and all mail system messages except debug messages to /usr/adm/syslog:

   .notice;mail.info	/usr/adm/syslog

Log all critical or higher priority messages to /usr/adm/critical:

   .crit	/usr/adm/critical

Forward error or higher priority messages from the kernel to laidbak:

   kern.err	@laidbak

Inform all users of any emergency or higher priority messages:

   .emerg

Inform the users wmv and stevea of any alert or higher priority messages:

   .alert	wmv, stevea

Inform the user maf of any alert or higher priority message, or any warning message or higher priority from the authorization subsystem:

   .alert;auth.warning	maf

Limitations

The maximum line length that can be read from the configuration file is 1023 characters.

The maximum message line length is 119 characters.

Files

/dev/error: character device used to read kernel error messages
/dev/logfifo: FIFO device used to read local logging requests
/etc/syslog.conf: configuration file
/etc/syslog.pid: syslogd process ID
/dev/syslog: special device to which syslogd binds UNIX domain sockets
/usr/adm/messages: log for error messages
/usr/adm/hwconfig: log for device initialization messages
/usr/adm/syslog: default log file