Penguin
Recent Changes
Annotated edit history of sysklogd(8) version 2, including all changes. View license author blame.
Rev Author # Line
1 perry 1 SYSKLOGD
2 !!!SYSKLOGD
3 NAME
4 SYNOPSIS
5 DESCRIPTION
6 OPTIONS
7 SIGNALS
8 CONFIGURATION FILE SYNTAX DIFFERENCES
9 SUPPORT FOR REMOTE LOGGING
10 OUTPUT TO NAMED PIPES (FIFOs)
11 INSTALLATION CONCERNS
12 SECURITY THREATS
13 DEBUGGING
14 FILES
15 BUGS
16 SEE ALSO
17 COLLABORATORS
18 ----
19 !!NAME
20
21
22 sysklogd - Linux system logging utilities.
23 !!SYNOPSIS
24
25
26 __syslogd__ [[ __-a__ ''socket'' ] [[ __-d__ ] [[
27 __-f__ ''config file'' ] [[ __-h__ ] [[ __-l__
28 ''hostlist'' ] [[ __-m__ ''interval'' ] [[ __-n__
29 ] [[ __-p__ ''socket'' ] [[ __-r__ ] [[ __-s__
30 ''domainlist'' ] [[ __-v__ ]
31 !!DESCRIPTION
32
33
34 __Sysklogd__ provides two system utilities which provide
35 support for system logging and kernel message trapping.
36 Support of both internet and unix domain sockets enables
37 this utility package to support both local and remote
38 logging.
39
40
41 System logging is provided by a version of syslogd(8)
42 derived from the stock BSD sources. Support for kernel
43 logging is provided by the klogd(8) utility which
44 allows kernel logging to be conducted in either a standalone
45 fashion or as a client of syslogd.
46
47
48 __Syslogd__ provides a kind of logging that many modern
49 programs use. Every logged message contains at least a time
50 and a hostname field, normally a program name field, too,
51 but that depends on how trusty the logging program
52 is.
53
54
55 While the __syslogd__ sources have been heavily modified
56 a couple of notes are in order. First of all there has been
57 a systematic attempt to insure that syslogd follows its
58 default, standard BSD behavior. The second important concept
59 to note is that this version of syslogd interacts
60 transparently with the version of syslog found in the
61 standard libraries. If a binary linked to the standard
62 shared libraries fails to function correctly we would like
63 an example of the anomalous behavior.
64
65
66 The main configuration file ''/etc/syslog.conf'' or an
67 alternative file, given with the __-f__ option, is read
68 at startup. Any lines that begin with the hash mark (``#'')
69 and empty lines are ignored. If an error occurs during
70 parsing the whole line is ignored.
71 !!OPTIONS
72
73
74 __-a__ ''socket''
75
76
77 Using this argument you can specify additional sockets from
78 that __syslogd__ has to listen to. This is needed if
79 you're going to let some daemon run within a chroot()
80 environment. You can use up to 19 additional sockets. If
81 your environment needs even more, you have to increase the
82 symbol __MAXFUNIX__ within the syslogd.c source file. An
83 example for a chroot() daemon is described by the people
84 from OpenBSD at
85 http://www.psionic.com/papers/dns.html.
86
87
88 __-d__
89
90
91 Turns on debug mode. Using this the daemon will not proceed
92 a fork(2) to set itself in the background, but
93 opposite to that stay in the foreground and write much debug
94 information on the current tty. See the DEBUGGING section
95 for more information.
96
97
98 __-f__ ''config file''
99
100
101 Specify an alternative configuration file instead of
102 ''/etc/syslog.conf'', which is the default.
103
104
105 __-h__
106
107
108 By default syslogd will not forward messages it receives
109 from remote hosts. Specifying this switch on the command
110 line will cause the log daemon to forward any remote
111 messages it receives to forwarding hosts which have been
112 defined.
113
114
115 __-l__ ''hostlist''
116
117
118 Specify a hostname that should be logged only with its
119 simple hostname and not the fqdn. Multiple hosts may be
120 specified using the colon (``:'') separator.
121
122
123 __-m__ ''interval''
124
125
126 The __syslogd__ logs a mark timestamp regularly. The
127 default ''interval'' between two ''-- MARK --'' lines
128 is 20 minutes. This can be changed with this option. Setting
129 the ''interval'' to zero turns it off
130 entirely.
131
132
133 __-n__
134
135
136 Avoid auto-backgrounding. This is needed especially if the
137 __syslogd__ is started and controlled by
138 init(8).
139
140
141 __-p__ ''socket''
142
143
144 You can specify an alternative unix domain socket instead of
145 ''/dev/log''.
146
147
148 __-r__
149
150
151 This option will enable the facility to receive message from
152 the network using an internet domain socket with the syslog
153 service (see services(5)). The default is to not
154 receive any messages from the network.
155
156
157 This option is introduced in version 1.3 of the sysklogd
158 package. Please note that the default behavior is the
159 opposite of how older versions behave, so you might have to
160 turn this on.
161
162
163 __-s__ ''domainlist''
164
165
166 Specify a domainname that should be stripped off before
167 logging. Multiple domains may be specified using the colon
168 (``:'') separator. Please be advised that no sub-domains may
169 be specified but only entire domains. For example if __-s
170 north.de__ is specified and the host logging resolves to
171 satu.infodrom.north.de no domain would be cut, you will have
172 to specify two domains like: __-s
173 north.de:infodrom.north.de__.
174
175
176 __-v__
177
178
179 Print version and exit.
180 !!SIGNALS
181
182
183 __Syslogd__ reacts to a set of signals. You may easily
184 send a signal to __syslogd__ using the
185 following:
186
187
188 kill -SIGNAL `cat /var/run/syslogd.pid`
189
190
191 __SIGHUP__
192
193
194 This lets __syslogd__ perform a re-initialization. All
195 open files are closed, the configuration file (default is
196 ''/etc/syslog.conf'') will be reread and the
197 syslog(3) facility is started again.
198
199
200 __SIGTERM__
201
202
203 The __syslogd__ will die.
204
205
206 __SIGINT__, __SIGQUIT__
207
208
209 If debugging is enabled these are ignored, otherwise
210 __syslogd__ will die.
211
212
213 __SIGUSR1__
214
215
216 Switch debugging on/off. This option can only be used if
217 __syslogd__ is started with the __-d__ debug
218 option.
219
220
221 __SIGCHLD__
222
223
224 Wait for childs if some were born, because of wall'ing
225 messages.
226 !!CONFIGURATION FILE SYNTAX DIFFERENCES
227
228
229 __Syslogd__ uses a slightly different syntax for its
230 configuration file than the original BSD sources. Originally
231 all messages of a specific priority and above were forwarded
232 to the log file.
233
234
235 For example the following line caused ALL output from
236 daemons using the daemon facilities (debug is the lowest
237 priority, so every higher will also match) to go into
238 ''/usr/adm/daemons'':
239
240
241 # Sample syslog.conf
242 daemon.debug /usr/adm/daemons
243
244
245 Under the new scheme this behavior remains the same. The
246 difference is the addition of four new specifiers, the
247 asterisk (__*__) wildcard, the equation sign (__=__),
248 the exclamation mark (__!__), and the minus sign
249 (__-__).
250
251
252 The __*__ specifies that all messages for the specified
253 facility are to be directed to the destination. Note that
254 this behavior is degenerate with specifying a priority level
255 of debug. Users have indicated that the asterisk notation is
256 more intuitive.
257
258
259 The __=__ wildcard is used to restrict logging to the
260 specified priority class. This allows, for example, routing
261 only debug messages to a particular logging
262 source.
263
264
265 For example the following line in ''syslog.conf'' would
266 direct debug messages from all sources to the
267 ''/usr/adm/debug'' file.
268
269
270 # Sample syslog.conf
271 *.=debug /usr/adm/debug
272
273
274 The __!__ is used to exclude logging of the specified
275 priorities. This affects all (!) possibilities of specifying
276 priorities.
277
278
279 For example the following lines would log all messages of
280 the facility mail except those with the priority info to the
281 ''/usr/adm/mail'' file. And all messages from news.info
282 (including) to news.crit (excluding) would be logged to the
283 ''/usr/adm/news'' file.
284
285
286 # Sample syslog.conf
287 mail.*;mail.!=info /usr/adm/mail
288 news.info;news.!crit /usr/adm/news
289
290
291 You may use it intuitively as an exception specifier. The
292 above mentioned interpretation is simply inverted. Doing
293 that you may use
294
295
296 mail.none
297 or
298
299
300 mail.!*
301 or
302
303
304 mail.!debug
305 to skip every message that comes with a mail facility. There is much room to play with it. :-)
306
307
308 The __-__ may only be used to prefix a filename if you
309 want to omit sync'ing the file after every write to
310 it.
311
312
313 This may take some acclimatization for those individuals
314 used to the pure BSD behavior but testers have indicated
315 that this syntax is somewhat more flexible than the BSD
316 behavior. Note that these changes should not affect standard
2 perry 317 syslog.conf(5) files. You must specifically modify
1 perry 318 the configuration files to obtain the enhanced
319 behavior.
320 !!SUPPORT FOR REMOTE LOGGING
321
322
323 These modifications provide network support to the syslogd
324 facility. Network support means that messages can be
325 forwarded from one node running syslogd to another node
326 running syslogd where they will be actually logged to a disk
327 file.
328
329
330 To enable this you have to specify the __-r__ option on
331 the command line. The default behavior is that
332 __syslogd__ won't listen to the network.
333
334
335 The strategy is to have syslogd listen on a unix domain
336 socket for locally generated log messages. This behavior
337 will allow syslogd to inter-operate with the syslog found in
338 the standard C library. At the same time syslogd listens on
339 the standard syslog port for messages forwarded from other
340 hosts. To have this work correctly the services(5)
341 files (typically found in ''/etc'') must have the
342 following entry:
343
344
345 syslog 514/udp
346
347
348 If this entry is missing __syslogd__ neither can receive
349 remote messages nor send them, because the UDP port cant be
350 opened. Instead __syslogd__ will die immediately, blowing
351 out an error message.
352
353
354 To cause messages to be forwarded to another host replace
355 the normal file line in the ''syslog.conf'' file with the
356 name of the host to which the messages is to be sent
357 prepended with an @.
358
359
360 For example, to forward __ALL__ messages to a remote host
361 use the following ''syslog.conf'' entry:
362
363
364 # Sample syslogd configuration file to
365 # messages to a remote host forward all.
366 *.* @hostname
367 To forward all __kernel__ messages to a remote host the configuration file would be as follows:
368
369
370 # Sample configuration file to forward all kernel
371 # messages to a remote host.
372 kern.* @hostname
373
374
375 If the remote hostname cannot be resolved at startup,
376 because the name-server might not be accessible (it may be
377 started after syslogd) you don't have to worry.
378 __Syslogd__ will retry to resolve the name ten times and
379 then complain. Another possibility to avoid this is to place
380 the hostname in ''/etc/hosts''.
381
382
383 With normal __syslogd__s you would get syslog-loops if
384 you send out messages that were received from a remote host
385 to the same host (or more complicated to a third host that
386 sends it back to the first one, and so on). In my domain
387 (Infodrom Oldenburg) we accidently got one and our disks
388 filled up with the same single message. :-(
389
390
391 To avoid this in further times no messages that were
392 received from a remote host are sent out to another (or the
393 same) remote host anymore. If there are scenarios where this
394 doesn't make sense, please drop me (Joey) a
395 line.
396
397
398 If the remote host is located in the same domain as the
399 host, __syslogd__ is running on, only the simple hostname
400 will be logged instead of the whole fqdn.
401
402
403 In a local network you may provide a central log server to
404 have all the important information kept on one machine. If
405 the network consists of different domains you don't have to
406 complain about logging fully qualified names instead of
407 simple hostnames. You may want to use the strip-domain
408 feature __-s__ of this server. You can tell the
409 __syslogd__ to strip off several domains other than the
410 one the server is located in and only log simple
411 hostnames.
412
413
414 Using the __-l__ option there's also a possibility to
415 define single hosts as local machines. This, too, results in
416 logging only their simple hostnames and not the
417 fqdns.
418
419
420 The UDP socket used to forward messages to remote hosts or
421 to receive messages from them is only opened when it is
422 needed. In releases prior to 1.3-23 it was opened every time
423 but not opened for reading or forwarding
424 respectively.
425 !!OUTPUT TO NAMED PIPES (FIFOs)
426
427
428 This version of syslogd has support for logging output to
429 named pipes (fifos). A fifo or named pipe can be used as a
430 destination for log messages by prepending a pipy symbol
431 (``|'') to the name of the file. This is handy for
432 debugging. Note that the fifo must be created with the
433 mkfifo command before syslogd is started.
434
435
436 The following configuration file routes debug messages from
437 the kernel to a fifo:
438
439
440 # Sample configuration to route kernel debugging
441 # messages ONLY to /usr/adm/debug which is a
442 # named pipe.
443 kern.=debug |/usr/adm/debug
444 !!INSTALLATION CONCERNS
445
446
447 There is probably one important consideration when
448 installing this version of syslogd. This version of syslogd
449 is dependent on proper formatting of messages by the syslog
450 function. The functioning of the syslog function in the
451 shared libraries changed somewhere in the region of
452 libc.so.4.[[2-4].n. The specific change was to null-terminate
453 the message before transmitting it to the ''/dev/log''
454 socket. Proper functioning of this version of syslogd is
455 dependent on null-termination of the message.
456
457
458 This problem will typically manifest itself if old
459 statically linked binaries are being used on the system.
460 Binaries using old versions of the syslog function will
461 cause empty lines to be logged followed by the message with
462 the first character in the message removed. Relinking these
463 binaries to newer versions of the shared libraries will
464 correct this problem.
465
466
467 Both the syslogd(8) and the klogd(8) can
468 either be run from init(8) or started as part of the
469 rc.* sequence. If it is started from init the option
470 ''-n'' must be set, otherwise you'll get tons of syslog
471 daemons started. This is because init(8) depends on
472 the process ID.
473 !!SECURITY THREATS
474
475
476 There is the potential for the syslogd daemon to be used as
477 a conduit for a denial of service attack. Thanks go to John
478 Morrison (jmorriso@rflab.ee.ubc.ca) for alerting me to this
479 potential. A rogue program(mer) could very easily flood the
480 syslogd daemon with syslog messages resulting in the log
481 files consuming all the remaining space on the filesystem.
482 Activating logging over the inet domain sockets will of
483 course expose a system to risks outside of programs or
484 individuals on the local machine.
485
486
487 There are a number of methods of protecting a
488 machine:
489
490
491 1.
492
493
494 Implement kernel firewalling to limit which hosts or
495 networks have access to the 514/UDP socket.
496
497
498 2.
499
500
501 Logging can be directed to an isolated or non-root
502 filesystem which, if filled, will not impair the
503 machine.
504
505
506 3.
507
508
509 The ext2 filesystem can be used which can be configured to
510 limit a certain percentage of a filesystem to usage by root
511 only. __NOTE__ that this will require syslogd to be run
512 as a non-root process. __ALSO NOTE__ that this will
513 prevent usage of remote logging since syslogd will be unable
514 to bind to the 514/UDP socket.
515
516
517 4.
518
519
520 Disabling inet domain sockets will limit risk to the local
521 machine.
522
523
524 5.
525
526
527 Use step 4 and if the problem persists and is not secondary
528 to a rogue program/daemon get a 3.5 ft (approx. 1 meter)
529 length of sucker rod* and have a chat with the user in
530 question.
531
532
533 Sucker rod def. -- 3/4, 7/8 or 1in. hardened steel rod, male
534 threaded on each end. Primary use in the oil industry in
535 Western North Dakota and other locations to pump 'suck' oil
536 from oil wells. Secondary uses are for the construction of
537 cattle feed lots and for dealing with the occasional
538 recalcitrant or belligerent individual.
539 !!DEBUGGING
540
541
542 When debugging is turned on using __-d__ option then
543 __syslogd__ will be very verbose by writing much of what
544 it does on stdout. Whenever the configuration file is reread
545 and re-parsed you'll see a tabular, corresponding to the
546 internal data structure. This tabular consists of four
547 fields:
548
549
550 ''number''
551
552
553 This field contains a serial number starting by zero. This
554 number represents the position in the internal data
555 structure (i.e. the array). If one number is left out then
556 there might be an error in the corresponding line in
557 ''/etc/syslog.conf''.
558
559
560 ''pattern''
561
562
563 This field is tricky and represents the internal structure
564 exactly. Every column stands for a facility (refer to
565 syslog(3)). As you can see, there are still some
566 facilities left free for former use, only the left most are
567 used. Every field in a column represents the priorities
568 (refer to syslog(3)).
569
570
571 ''action''
572
573
574 This field describes the particular action that takes place
575 whenever a message is received that matches the pattern.
2 perry 576 Refer to the syslog.conf(5) manpage for all possible
1 perry 577 actions.
578
579
580 ''arguments''
581
582
583 This field shows additional arguments to the actions in the
584 last field. For file-logging this is the filename for the
585 logfile; for user-logging this is a list of users; for
586 remote logging this is the hostname of the machine to log
587 to; for console-logging this is the used console; for
588 tty-logging this is the specified tty; wall has no
589 additional arguments.
590 !!FILES
591
592
593 ''/etc/syslog.conf''
594
595
596 Configuration file for __syslogd__. See
2 perry 597 syslog.conf(5) for exact information.
1 perry 598
599
600 ''/dev/log''
601
602
603 The Unix domain socket to from where local syslog messages
604 are read.
605
606
607 ''/var/run/syslogd.pid''
608
609
610 The file containing the process id of
611 __syslogd__.
612 !!BUGS
613
614
615 If an error occurs in one line the whole rule is
616 ignored.
617
618
619 __Syslogd__ doesn't change the filemode of opened
620 logfiles at any stage of process. If a file is created it is
621 world readable. If you want to avoid this, you have to
622 create it and change permissions on your own. This could be
623 done in combination with rotating logfiles using the
624 savelog(8) program that is shipped in the
625 __smail__ 3.x distribution. Remember that it might be a
626 security hole if everybody is able to read auth.* messages
627 as these might contain passwords.
628 !!SEE ALSO
629
630
2 perry 631 syslog.conf(5), klogd(8), logger(1),
1 perry 632 syslog(2), syslog(3), services(5),
633 savelog(8)
634 !!COLLABORATORS
635
636
637 __Syslogd__ is taken from BSD sources, Greg Wettstein
638 (greg@wind.enjellic.com) performed the port to Linux, Martin
639 Schulze (joey@linux.de) fixed some bugs and added several
640 new features. __Klogd__ was originally written by Steve
641 Lord (lord@cray.com), Greg Wettstein made major
642 improvements.
643
644
645 Dr. Greg Wettstein
646
647
648 Enjellic Systems Development
649
650
651 Oncology Research Division Computing Facility
652
653
654 Roger Maris Cancer Center
655
656
657 Fargo, ND
658
659
660 greg@wind.enjellic.com
661
662
663 Stephen Tweedie
664
665
666 Department of Computer Science
667
668
669 Edinburgh University, Scotland
670
671
672 sct@dcs.ed.ac.uk
673
674
675 Juha Virtanen
676
677
678 jiivee@hut.fi
679
680
681 Shane Alderton
682
683
684 shane@ion.apana.org.au
685
686
687 Martin Schulze
688
689
690 Infodrom Oldenburg
691
692
693 joey@linux.de
694 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.